[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Limiting Shell Access Damage (was Guruness)

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: Limiting Shell Access Damage (was Guruness)
From: Hannah Schroeter <hannah_(_at_)_schlund_(_dot_)_de>
Date: Mon, 24 Oct 2005 15:06:16 +0200
Mail-followup-to: misc_(_at_)_openbsd_(_dot_)_org
Organization: Schlund + Partner AG

Hello!

On Thu, Oct 20, 2005 at 11:01:55PM +0200, Jesper Louis Andersen wrote:
>[... what looks like good advice ...]

>A typical attack vector, however, for 1000+ account sites is a 
>compromised account. You can assume at least 5 per 1000 accounts are 
>compromised or have easily guessable passwords. Those will not heed your 
>policy forms whatever you do. You can mitigate the risk by separating 
>systems and limiting account access. When this is not possible, 
>ProPolice, W^X, StackGhost, etc will come in very handy.

You can mitigate the risk of guessable passwords by checking passwords
on change, using the minpasswordlen and passwordcheck fields of
login.conf. Set passwordtries to 0 so the user can't override the
password policy by insisting on the bad password.

>[...]

Kind regards,

Hannah.

Prev by Date: mirror in Erlangen is down
Next by Date: coredump
Previous by thread: Re: Limiting Shell Access Damage (was Guruness)
Next by thread: iptables vs pf
Index(es):
- Date
- Thread

Visit your host, monkey.org