[100561] in RedHat Linux List
Re: Hacked! :(
daemon@ATHENA.MIT.EDU (Sean Harding)
Sat Nov 21 21:16:13 1998
Date: Sat, 21 Nov 1998 18:20:03 -0800
From: Sean Harding <sharding@gutenberg.uoregon.edu>
Reply-To: Sean Harding <sharding@oregon.uoregon.edu>
To: redhat-list@redhat.com
In-Reply-To: <36576FB2.2F2@nook.net>
Resent-From: redhat-list@redhat.com
On Sat, 21 Nov 1998, Ramon Gandia wrote:
>
> > Not particularly. Any cracker who values his own time won't bother trying
> > to decrypt passwd entries. Time is better spent using a dictionary attack
> > program, such as Crack...
>
> Depends on how you set up your system. Normally, a telnet
> session will kick you off after 3 tries, and it is possible to
> add a delay in repeated attempts between the tree tries. If
> you do this, it could take *years* before someone could break
> in....
No, I'm talking about once he/she has the passwd file. If they have the
passwd file somehow, they *aren't* going to try to decrypt passwords.
They'll use something like Crack. How you setup your system (other than
being secure enough to keep them from getting passwd in the first place or
forcing users to have good passwords) has no bearing on how well this
tactic will work. Crack and the like don't make any connections to the
computer whose passwd file is being cracked; they don't know anything
about that remote machine.
> is *nuts* to give strangers/dialup users a shell account, unless
> it is on a "trash" computer.
Even if it is a trash computer, it's an extremely bad idea. You'll be
responsible for anything done from your net connection, so you'd better be
ready to make sure your users are doing the right thing.
sean
--
Sean Harding sharding@oregon.uoregon.edu|"art may imitate life
http://gladstone.uoregon.edu/~sharding/ | but life imitates t.v."
Consulting: http://www.efn.org/~seanh/ | --ani difranco
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com http://archive.redhat.com
To unsubscribe: mail redhat-list-request@redhat.com with
"unsubscribe" as the Subject.
