Re: Re[3]: [cobalt-users] wish to Cobalt: suppressing "sensitive" information

[Kris Dahl <krislists@xxxxxxxxxxxxx>]

> I know Obscurity is not a good security but if a bug exist on a
> particular version of sendmail or qpopper, it's maybe not a good
> idea to say "Hey we are using this version, yes you know the bugged
> one, so you can use this exploit on me".

I agree, its NOT a good idea.  But neither is running software with an
exploit available.  Patching the the software is the solution.  Also, there
are many ways of fingerprinting a system, software, etc. not just based upon
those messages.

> - A jail or a chroot for the peoples who needs telnet on the cobalt (yes
> they can look at other people html code... php code, really bad !!!!!!!!),
> they shouldn't
> have the possibility to go out of their directory !!!! (maybe a
> reorganization of the
> site directory...)

It is a publicly readable file, for Christ's sake!  On a shared server!  You
don't put sensitive information or code, or *anything* on a server with such
circumstances!

I also wish that people would get the terminology right--that is not
'telnet' access, but 'shell' access you are talking about.  Telnet is a
client, server, & protocol.  The shell is the actual command line interface
that is commonly accesses with telnet, serial, or SSH.  Telnet should not
even be enabled or allowed or supported, especially now that the RSA patent
has expired.

> We don't want a firewall, we want a more security aware box !!!!!
> We have a firewall in front of them but we can't suppress every access !!!

I'd like to see the Raq's come with IPChain management interfaces.  I.e. you
select the services you're running on the machine (POP, FTP, WWW, SSH) and
it blocks all other ports to the external interface.

-k