Email address obfuscation in effect -- please
click here to turn it off.
[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
Sorry.. In rereading some of what I wrote, it seemed harsh. I was not
meaning to be that way and I am grateful to Mike and everyone for their
input. I admit also that I don't have full understanding of the
situation and that some of what I wrote down below may in fact be
erroneous... it reflects my current understanding of things, which, as
was the purpose of this thread in the first place is what I'm trying to
modify and refine.
Thanks all.
Christian M. Cepel wrote:
Mike Miller wrote:
On Fri, 21 Mar 2008, Christian M. Cepel wrote:
It seems to me that their problem is that the ~ gives away the
username and this attracts a lot of inappropriate attempts to connect
via ftp or ssh or telnet by scripts that are trying to guess
passwords. If they don't get rid of the old server name, they'll
continue to see these attempts even if the usernames don't exist. So
I don't think their problem can be solved without getting rid of the
old server name altogether.
There is no 'old' server, only new servers with the old subdomains
grandfathered. Further this argument holds no weight whatsoever. Any
server will be attacked. This server will not experience any more or
less for it once having ~ access. The issue of ~ vulnerability is that
it gained those infiltrators a username to begin with. They will no
longer have these and the new server will be just as vulnerable as any
server ever was to people trying to guess usernames & passwords.
If they did keep the old server name, they would have to change the
names of all users. If they did that, they could retain a mapping
from the old username to the new one and they could set up the web
server to have it direct the old /~whatever/ to something else.
The names are already changed. Account access is done by people's
pawprints and has been so for a long while. You can still 'sudo' to
those accounts, but it's using your pawprint password, and I think it
can only be done from localhost. (If I'm understanding things at all
correctly).
I think there is another way -- they can keep a computer that does
HTTP redirects only and ignores attempts on all other ports. So
point old DNS records to
httpdirect.missouri.edu (which has many aliases)
When it sees an attempt to connect here...
http://whatever.missouri.edu/~user/blah/
...it redirects it to here:
http://coe3.missouri.edu/Xuser/blah/
Something like that.
That's essentially what I was proposing from the start... however..
I'm reaching the conclusion that it's absolutely unnecessary. At this
point I see no reason why the DNS mappings cannot be maintained and
the httpd.conf configged with mod_rewrite to redirect attempts to
access defunct accounts.
Mike
_______________________________________________
members mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/members
--
Christian M. Cepel - Thistledowne Productions - http://thistledowne.org
Computer Support Specialist, Sr. - University of Missouri - Columbia
College of Education - School of Info Science & Learning Technologies
VRCbd, KidTools & StrategyTools Support Systems Projects, and Truman,
Library Whistlestop Project - Web Design & Programming - 573.999.2370
_______________________________________________
members mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/members
Home | FAQ | Server | Presentations | Mailing Lists/Archives | Member Tools | Links | Sponsors | Contact