[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gauntlet-user
Subject:    Re: Security holes
From:       Ian Poynter <ian () jerboa ! com>
Date:       1998-08-31 23:00:42
[Download RAW message or body]

At 08:43 AM 8/31/98 -0500, cfuss@oxfordassociates.com wrote:
> This is bad because the server should never say "userid nonexistent".
> This allows for a brute force attack based on known and unknown names.
> As I said, it's minor. I saw you also have an encrypted webserver running
> on port 443, so I assume security is somewhat of an issue.
> 
> How worried should I be about this, and what can I do so solve the problem?

Well, I certainly wouldn't want this kind of info to make it out.  If you don't need \
inbound telnet access, you should remove it from the outside (untrusted) policy, \
which will prevent anyone from getting this far.

Interestingly, the GUI on Gauntlet 4.1 for Unix has an option under \
Environment->Authentication->Gauntlet which allows you to choose "Indicate \
non-existant user on login".  Mine is unchecked, but Gauntlet still does the same \
thing as your NT scenario.  Commenting out the option that the GUI sets (authsrv: \
nobogus on) makes all bogus user id's cause a fake challenge.  I guess this is a bug \
in translating the GUI setting, but there is at least a work-around to the problem.

I don't have the latest and greatest NT installed to look and see if the same option \
is available there...

Ian


-----
Ian Poynter                                        ian@jerboa.com
Jerboa, Inc.                                      +1-617-492-8084
PO Box 382648, Cambridge, MA 02238          http://www.jerboa.com
Providing unbiased Internet consulting for businesses.
Fingerprints RSA: BA 0C 82 C5 F2 03 3D 95  7C CE FD D3 57 4E 15 73
           DSS: 2769 277A 9F69 F605 3743  D574 C8F5 C147 17D4 76B7


[prev in list] [next in list] [prev in thread] [next in thread]