Re: Hardening an old Ultrix server

phn_at_icke-reklam.ipsec.nu
Date: 05/23/03

  • Next message: Larg: "are export 1024 ciphers no good?" 
    Date: Fri, 23 May 2003 13:54:45 +0000 (UTC)

    Tom Ivar Helbekkmo <tih+nr@eunetnorge.no> wrote:
    > Jacques Bourdeau <J_Bourdeau@videotron.ca> wrote:

    >> I have to improve the security of an old Ultrix server.

    > Could you possibly replace Ultrix? NetBSD will probably run just fine
    > on it, will be in a completely different ball park security-wise, and
    > will probably be able to run any binary software you've got on the box
    > that's a reason to keep it around in the first place. Check out the
    > project's web pages at <http://www.netbsd.org/> for more information.

    >> The first thing I have to change is the old password
    >> file. Passwords are still in /etc/passwd and readable by every one.

    > phn@icke-reklam.ipsec.nu responded:

    >> Wrong. The hash of the password is readable. This is a huge difference

    > Not these days, it's not. :-)

    If you read the whole text you should have noticed that "good passwords" was
    required. And non-guessable passwords still needs a considerable
    effort to break ( several days on fast hardware, weeks with a pc)

    Everything "depends" of course. A shadow password file does not protect
    against various abusable setuid programs or other hazards. A careful
    balance "where the weakest points" are, and "how good is enough".
    Just installing shadow passwords in ultrix does nada to the real hazards. 

    -- 
Peter Håkanson         
        IPSec  Sverige      ( At Gothenburg Riverside )
           Sorry about my e-mail address, but i'm trying to keep spam out,
	   remove "icke-reklam" if you feel for mailing me. Thanx.
  • Next message: Larg: "are export 1024 ciphers no good?"