[prev in list] [next in list] [prev in thread] [next in thread]
List: gauntlet-user
Subject: Re: Security holes
From: Ian Poynter <ian () jerboa ! com>
Date: 1998-08-31 23:00:42
[Download RAW message or body]
At 08:43 AM 8/31/98 -0500, cfuss@oxfordassociates.com wrote:
> This is bad because the server should never say "userid nonexistent".
> This allows for a brute force attack based on known and unknown names.
> As I said, it's minor. I saw you also have an encrypted webserver running
> on port 443, so I assume security is somewhat of an issue.
>
> How worried should I be about this, and what can I do so solve the problem?
Well, I certainly wouldn't want this kind of info to make it out. If you don't need \
inbound telnet access, you should remove it from the outside (untrusted) policy, \
which will prevent anyone from getting this far.
Interestingly, the GUI on Gauntlet 4.1 for Unix has an option under \
Environment->Authentication->Gauntlet which allows you to choose "Indicate \
non-existant user on login". Mine is unchecked, but Gauntlet still does the same \
thing as your NT scenario. Commenting out the option that the GUI sets (authsrv: \
nobogus on) makes all bogus user id's cause a fake challenge. I guess this is a bug \
in translating the GUI setting, but there is at least a work-around to the problem.
I don't have the latest and greatest NT installed to look and see if the same option \
is available there...
Ian
-----
Ian Poynter ian@jerboa.com
Jerboa, Inc. +1-617-492-8084
PO Box 382648, Cambridge, MA 02238 http://www.jerboa.com
Providing unbiased Internet consulting for businesses.
Fingerprints RSA: BA 0C 82 C5 F2 03 3D 95 7C CE FD D3 57 4E 15 73
DSS: 2769 277A 9F69 F605 3743 D574 C8F5 C147 17D4 76B7
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic