Email address obfuscation in effect -- please
click here to turn it off.
[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
Mike Miller wrote:
On Fri, 21 Mar 2008, Christian M. Cepel wrote:
It seems to me that their problem is that the ~ gives away the
username and this attracts a lot of inappropriate attempts to connect
via ftp or ssh or telnet by scripts that are trying to guess
passwords. If they don't get rid of the old server name, they'll
continue to see these attempts even if the usernames don't exist. So
I don't think their problem can be solved without getting rid of the
old server name altogether.
There is no 'old' server, only new servers with the old subdomains
grandfathered. Further this argument holds no weight whatsoever. Any
server will be attacked. This server will not experience any more or
less for it once having ~ access. The issue of ~ vulnerability is that
it gained those infiltrators a username to begin with. They will no
longer have these and the new server will be just as vulnerable as any
server ever was to people trying to guess usernames & passwords.
If they did keep the old server name, they would have to change the
names of all users. If they did that, they could retain a mapping
from the old username to the new one and they could set up the web
server to have it direct the old /~whatever/ to something else.
The names are already changed. Account access is done by people's
pawprints and has been so for a long while. You can still 'sudo' to
those accounts, but it's using your pawprint password, and I think it
can only be done from localhost. (If I'm understanding things at all
correctly).
I think there is another way -- they can keep a computer that does
HTTP redirects only and ignores attempts on all other ports. So point
old DNS records to
httpdirect.missouri.edu (which has many aliases)
When it sees an attempt to connect here...
http://whatever.missouri.edu/~user/blah/
...it redirects it to here:
http://coe3.missouri.edu/Xuser/blah/
Something like that.
That's essentially what I was proposing from the start... however.. I'm
reaching the conclusion that it's absolutely unnecessary. At this point
I see no reason why the DNS mappings cannot be maintained and the
httpd.conf configged with mod_rewrite to redirect attempts to access
defunct accounts.
Mike
_______________________________________________
members mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/members
--
Christian M. Cepel - Thistledowne Productions - http://thistledowne.org
Computer Support Specialist, Sr. - University of Missouri - Columbia
College of Education - School of Info Science & Learning Technologies
VRCbd, KidTools & StrategyTools Support Systems Projects, and Truman,
Library Whistlestop Project - Web Design & Programming - 573.999.2370
_______________________________________________
members mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/members
Home | FAQ | Server | Presentations | Mailing Lists/Archives | Member Tools | Links | Sponsors | Contact