Re: User access & security
- From: ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin)
- Date: Mon, 01 Oct 2007 14:58:44 -0500
On Mon, 01 Oct 2007, in the Usenet newsgroup comp.os.linux.security, in article
<4700eb0f$0$14825$afc38c87@xxxxxxxxxxxxxxxxxxxx>, Mark wrote:
If there is a user with non-root access to their account, we are
dependent on their having a good password to ward off too much nasty
activity.
You are also dependent on what _network_ access you grant. I've got a
system on the table behind me that has an empty password ("") for the
three user accounts. The only ones who can access that are those who
are physically present, because the box has no network connection. I've
another system (a workstation) that has trivial account names and
passwords, but again, you can't hack into it because while it _does_
have a network connection, it's not running _any_ services. The command
'netstat -anptu' returns only the column headers, because nothing is
listening to the network.
I am told that it is fairly easy with user access to install a rootkit
of some sort and totally compromise the system.
No details of distribution or version. Are you keeping the thing up to
date with all applicable errata, or what?
Now it seems to me that if this user is careless with this password,
then the whole server is at risk. How true is this?
Depends on the access you've granted.
Doesn't this weaken Linux to such an extent that any user access at
all is guaranteed to bring down the server.
Running Linux (or any other operating system) does not create security.
There is no silver bullet, Security is a system - a series of moves
made by a smart administrator that limits the possibility of damage.
If that is the case, what do ISPs do, with their thousands of ordinary
users? What does anybody do?
For starters, they don't allow unlimited access to every service that
can be installed on a system.
I ask this because I have inadvertently left an account open with a
trivial password which somebody has stumbled into. (It has since been
closed, but the question remains).
They didn't stumble onto the account - they were invited in. They needed
to first _find_ the system (as of the middle of last month, there were
2,544,183,372 IPv4 addresses in use on the Internet, 409,770,752 in the
Asia-Pacific region, 32,594,688 of those in Oz), find the port you were
offering service over (telnet? ssh? who-knows), find the account name,
only then find the right password. Then the skript kiddiez have to
figure out which package (.deb, .rpm, .tar) is suitable... get the
picture that you are stretching the odds? On the other hand, if one of
your users installed this shiny thing they found on some nifty website
to "improve their Internet experience"...
Remember, the vulnerability being exploited here is the user, not the OS.
I've seen people joke - and I must emphasize, this is a JOKE - that you
could send round an email message that says "for great sex, email this
message to everyone in your address book, then format your hard drive
and burn all your backups". Possibly a double-digit percentage of users
will follow those instructions.
Old guy
.
- References:
- User access & security
- From: Mark
- User access & security
- Prev by Date: Re: Phishing Attempt
- Next by Date: Re: User access & security
- Previous by thread: User access & security
- Next by thread: Re: User access & security
- Index(es):
Relevant Pages
|
