[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Suspending servers
- Subject: Re: [cobalt-users] Suspending servers
- From: Jeff Lasman <jblists@xxxxxxxxxxxxx>
- Date: Thu Dec 14 08:18:02 2000
- Organization: nobaloney.net
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
The Thieving Gypsy wrote:
> Sorry - to explain at bit more, I work for the UK office of Verio, and we
> lease whole dedicated servers to our clients -
Those of us who read your post (including those of us reading hundreds
of posts a day) knew that within the first lines of your original post;
you did fine and don't need to apologize; a few readers just
misunderstood you is all.
...<stuff snipped out of middle>...
> 1/. suspend the admin user - preventing them from using the GUI and telnet.
> The question, though, is whether or not this would cause problems if the
> server crashed and has to be taken into single user mode.
> 2/. Suspend the root user and turn off the GUI (to prevent reboot from a
> browser). Would this have any repurcusions, though?
I think you're making a mountain out of a molehill. Here's what I'd do:
Crete a new root account for myself, root2, with uid/gid of 0 would work
<smile>.
Using a script I'd go through the entire /etc/shadow file and add an "*"
as the first character in the password field. Just in case the system
crashes at the wrong moment, I'd make sure the script was smart enough
to skip your root2 account, though it doesn't need to skip system
accounts.
Turn off httpd, and don't let anyone pick up mail or see sites until the
account is paid; you're still receiving their mail, just not letting
them see it until they've paid.
I've never tested to see if turning off httpd also turns off "admin"
httpd; you might want to check and see. However, even if it doesn't, if
you've installed a good secure random password (i.e., something like
AkcuB8cH) you won't need to worry about them getting in.
To keep your customer from trying an ftp-based hack, I'd turn off
anonymous FTP access, or all FTP access. To keep him/her from trying
the ADM ROCKS hack I'd make sure I had the latest bind in the system, or
turn off DNS if it's not being used by the customer.
Be sure to have another script ready to strip out those extra "*"
characters; the customer may actually decide to pay <smile>.
I hope this helps.
(In case anyone wants to know, I use a program to generate those
passwords; it's an MS-DOS-based program; it creates random passwords and
as far as I can tell, it doesn't repeat. Once you've used a password on
a list, NEVER use it in a system; someone is no doubt scanning archives
for passwords to add to a password dictionary.)
Jeff
--
Jeff Lasman <jblists@xxxxxxxxxxxxx>
nobaloney.net
P. O. Box 52672
Riverside, CA 92517
voice: (909) 787-8589 * fax: (909) 782-0205