login security
eric%cit-vax at sri-unix.UUCP
eric%cit-vax at sri-unix.UUCP
Thu Jun 30 06:59:17 AEST 1983
Re: the idea of using smtp to find out valid usernames: many sites have
finger servers running, and many others have password-less logins like
"who" and "finger". Our system records login attempts from the arpanet
and several times I have seen a successful "who" login followed by an
unsuccessful login attempt for each of the users already logged in!
Thus, to prevent a bad guy from easily getting usernames, out go finger
servers and "informational" login names. What we have instead is a setup
whereby a file giving the sites that each user can log in from is
checked by login and by ftp. Since most users do not access the machine
from other sites, most users are not allowed to at all. Also, login and
ftp refuse to allow a login from the net if the password is less than 6
characters EVEN IF IT IS CORRECT. In retrospect, I am glad I put all
this stuff in, because there are several spurious attempts every day
(particularly, I might add, from somewhere on the ucb-ether network).
- Eric Holstege
(eric at cit-vax)
(...ucbvax!cithep!citcsv!eric)
More information about the Comp.unix.wizards
mailing list