| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: dufresne at winternet.com (Ron DuFresne) Subject: !SPAM! Automated ssh scanning On Thu, 26 Aug 2004, Tremaine wrote: [SNIP] > > > > > > The issue here is why does debain include such a weak account,m thaqt has > > not been tamed via a very restricted chroot env!? > > That's not the issue though. As someone who has installed and > maintained debian systems over a period of years, I can assure you > that debian does not include a guest account (or any account) with a > weak password or shell. > > There aren't any shell accounts other than root on a debian install > until added by the administrator. > > The weak account in question here was created by the original poster > with the intent of catching one of these apparently automated ssh > attacks. > I may have misread the orig poster on this, but, my impression was it was either added by his choices on the debain install, or is setup as access for 'general' users on his system. Perhaps I misread... > > As Barry pointed to directly, it all depends upon what you make available > > to your clients once in a shell. It;s very likely your server would be as > > exploitable as most 'default' installs with the kitchen sink dropped in. > > Perhaps not, but likely, depending upon what you 'installed and allow > > clients access to'. > > > > Thanks, > > > > Ron DuFresne > > > As for the defaults on the original posters install... that would of > course depend entirely on what install method he chose. Like many > current distros (Mandrake, Redhat etc) Debian offers a packaged > install of a couple varieties (desktop, server, workstation etc) for > an admin to pick from, or they can choose to run dselect (package > management interface) and choose by hand what they do and do not want. > Those do not make alot of difference, the key is not to accept any of the defaults by any of these dists, pick and choose carefully which individual packages you install. I know redhat has dependancy hell with various packages, from the experience of trying to do as minimal as possible an install for a webhost while migrating from sunone on solaris to apache/redhat on the mainframe awhile back. I do not doubt that some of these additional dists are wraught with the same issues. But, I do know that slackware's installation process has the ability for one to do finegrained installs and to determine specifically individual packages from each package set. > This of course again comes back to not knowing what the initial poster > did with the system beyond running dselect -> update -> install which > would have autohandled updates and dependency resolution for installed > packages. > Yes, kida like what I was saying above, but, also depenant upon how the dists deal with packages themselves in their various 'default modes'. Thanks, Ron DuFresne > -- > Tremaine > IT Security Consultant > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything.
Powered by blists - more mailing lists