[1927] in RedHat Linux List
PPP Security (was How I get PPP to work) * A warning* !
daemon@ATHENA.MIT.EDU (Robert Hart)
Wed Oct 30 19:21:09 1996
Date: Thu, 31 Oct 1996 11:18:52 +1100 (EST)
From: Robert Hart <hartr@interweft.com.au>
Reply-To: Robert Hart <iweft@ipax.com.au>
To: "'redhat-list@redhat.com'" <redhat-list@redhat.com>
In-Reply-To: <01BBC65D.319AB020@max1-21.spiritone.com>
Resent-From: redhat-list@redhat.com
On Wed, 30 Oct 1996, Dave wrote:
> Ok in your home directory make a file useing whatever editor turns you on.
> Myself I enjoy pico.. its easy and fun..
>
> pico sone
>
> #!/bin/sh
> /usr/sbin/pppd connect 'chat "" ATDT<phone#> ogin: <name> word: <pword>' \
> /dev/modem 38400 mru 296 lock debug crtscts modem defaultroute
Whilst this works, this has a HUGE security hole in it - try doing a 'ps
-auxw' and you will see your ISP username and password displayed for all
to see!
OK - so you are the only user on your computer...think again! By
connecting to your ISP you are connecting to the world...running a
firewall - how secure is your system?
OK - again, you are probably using dynamic IP and thus have some 'security
through obscurity'. This could break...or be very easily broken.
The effort required to produce a script that does NOT display
usernames/passwords in the process table is trivial - and you don't even
have to re-invent it. Take a look at the sample scripts in the PPP-HOWTO
(v2.2 - on sunsite.unc.edu and mirrors).
If you are using PPP on Linux and are NOT doing this (or something like
it), you are laying yourself open to the possibility that someone will
grab your athentication information and strt using your account. At the
very least, this will cost you money.
It could also cost you a whole lot more if they use your account for
illegal activities (see the recent child porn scam that used a couple of
AOL accounts for more info...).
Do YOU want the FBI (or local equivalent) banging on your door?
Robert Hart iweft@ipax.com.au
Voice: +61 (0)3 9735 3586
InterWeft, 35 Summit Road, Lilydale, Victoria 3140, Australia
IT, data and voice networking Consultancy
Strategic IT business planning
Internet planning, implementation, security and configuration
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
________________________________________________________________________
http://www.redhat.com/RedHat-FAQ http://www.redhat.com/RedHat-Errata
http://www.redhat.com/RedHat-Tips http://www.redhat.com/mailing-lists
------------------------------------------------------------------------
To unsubscribe: mail -s unsubscribe redhat-list-request@redhat.com < /dev/null
