[2830] in bugtraq
Re: Write-only devices (Was read only devices)
daemon@ATHENA.MIT.EDU (Lew Wagner)
Thu Jun 27 17:38:28 1996
Date: Thu, 27 Jun 1996 15:56:09 -0400
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
From: Lew Wagner <wagnerl@erols.com>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
And remember to chmod those logs to 600 for root only and the directories
they are in. Don't need those pesky browsers tripping all over these files.
Lew Wagner
wagnerl@erols.com
At 10:57 AM 6/27/96 WET, you wrote:
>>if your logs contain passwords you should be shot....
>>
> ftp ftp.any.where.net
> # user types username too fast
> # FTP server flushes input and prompts
> Username:
> # user doesn't notice and types password
> # FTP server prompts for password
> # user realizes mistake and presses return to try again
> # FTP server notes in the logs a login error for user "pAsSwOrD"
> # user logins correctly and FTP server notes in the logs a
> # successful login for "user".
>
>The log looks like
>
> FTP: failed login attempt for user "pAsSwOrD"
> FTP: successful login for user "user" two seconds later
>
>The cracker sees that and thinks "what a strange username, and odd coincidence,
>hey, maybe...." and there you are.
>
> The same happens for most programs that log successful and wrong
>logins. If you don't record all login attempts then you don't know if
>someone is trying to log-in nor if the attacker is going after a specific
>account. You have to start interactively monitoring one by one all your
>accounts (no account name on any logs, remember?)...
>
> The lesson is: *users* do make mistakes. And there's no easy
>way you can both keep useful logs without them containing sensitive
>information. Either they do or they are useless.
>
> No need to shot anyone. Just avoid sending logs in plaintext over
>a network.
>
> jr
>
>
Lew Wagner
