[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Limiting Shell Access Damage (was Guruness)


On Thu, Oct 20, 2005 at 11:01:55PM +0200, Jesper Louis Andersen wrote:
>[... what looks like good advice ...]

>A typical attack vector, however, for 1000+ account sites is a 
>compromised account. You can assume at least 5 per 1000 accounts are 
>compromised or have easily guessable passwords. Those will not heed your 
>policy forms whatever you do. You can mitigate the risk by separating 
>systems and limiting account access. When this is not possible, 
>ProPolice, W^X, StackGhost, etc will come in very handy.

You can mitigate the risk of guessable passwords by checking passwords
on change, using the minpasswordlen and passwordcheck fields of
login.conf. Set passwordtries to 0 so the user can't override the
password policy by insisting on the bad password.


Kind regards,