[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Re[3]: [cobalt-users] wish to Cobalt: suppressing "sensitive"information

Subject: RE: Re[3]: [cobalt-users] wish to Cobalt: suppressing "sensitive"information
From: "Jerome Tytgat" <j.tytgat@xxxxxxxx>
Date: Thu Sep 21 02:38:23 2000

> I agree, its NOT a good idea.  But neither is running software with an
> exploit available.  Patching the the software is the solution.
> Also, there
> are many ways of fingerprinting a system, software, etc. not just
> based upon
> those messages.
Right but why making the hacker life simplier ???? As really easy
to suppress theses informations...

> It is a publicly readable file, for Christ's sake!  On a shared
> server!  You
> don't put sensitive information or code, or *anything* on a
> server with such
> circumstances!
It depends... maybe we want to have A PHP3 server shared by several
customers, they may have user/password database...

Any way it's not a good idea to show a complete Web directory structure !!!!
Think of whose your are trying to protect using .htacces...

USELESS !!!!

> I also wish that people would get the terminology right--that is not
> 'telnet' access, but 'shell' access you are talking about.  Telnet is a
> client, server, & protocol.  The shell is the actual command line
> interface
> that is commonly accesses with telnet, serial, or SSH.  Telnet should not
> even be enabled or allowed or supported, especially now that the
> RSA patent
> has expired.
The use of Telnet or SSH is out of word here... if we accord Telnet access
or SSH acces to all our customers, the problem is rather the same...
THEY CAN ACCESS OTHER PEOPLE DIRECTORIES !

> I'd like to see the Raq's come with IPChain management
> interfaces.  I.e. you
> select the services you're running on the machine (POP, FTP, WWW, SSH) and
> it blocks all other ports to the external interface.
Yes but again that's not really necessary... As you have (i hope) a firewall
in front. The WWW/POP/SMTP/FTP (USE FTP OVER SSH !!!) are enough for a good
exploit, event WWW whith some CGI script.

_______________________________________________________________
>ISION FRANCE
Jérôme Tytgat
System and Network security Administrator
mailto:j.tytgat@xxxxxxxx    	  http://www.ision.fr
_______________________________________________________________

Follow-Ups:
- Re: Re[3]: [cobalt-users] wish to Cobalt: suppressing "sensitive"information
  - From: Kris Dahl

References:
- Re: Re[3]: [cobalt-users] wish to Cobalt: suppressing "sensitive" information
  - From: Kris Dahl

Prev by Date: [cobalt-users] cobalt binary for htdig
Next by Date: RE: [cobalt-users] wish to Cobalt: suppressing "sensitive" information
Previous by thread: Re: [cobalt-users] wish to Cobalt: suppressing "sensitive"information
Next by thread: Re: Re[3]: [cobalt-users] wish to Cobalt: suppressing "sensitive"information

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index