[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] another suggestion: security improvements
- Subject: Re: [cobalt-security] another suggestion: security improvements
- From: Chris Adams <cmadams@xxxxxxxxxx>
- Date: Fri, 15 Sep 2000 15:55:48 -0500
Once upon a time, Florian Effenberger <florian.effenberger@xxxxxxxxxxxxx> said:
> I have another suggestion: more security improvements. The admin user
> should get a message (if he enables it), when a
>
> * POP3
> * telnet
> * su
> * SMTP
> * IMAP
> * FTP
> * WEB/htaccess
>
> failure logon occurs. Example: someone tries logging in as root/admin
> via telnet with the wrong password -> mail is being sent to the
> administrator.
That would be a _very_ bad idea, for several reasons. If you did that,
I could have a very simple denial of service attack against your
network. Simply try to connect in with a bogus username repeatedly, and
your mailbox (and mailserver) will overload.
Also, you realize that htaccess _always_ fails the first time; that is
how the web browser knows to ask for a password.
--
Chris Adams <cmadams@xxxxxxxxxx>
Systems and Network Administrator - HiWAAY Information Services
I don't speak for anybody but myself - that's enough trouble.