At 01:54 PM 12/13/01 -0500, you wrote:
>Hi,
>
>Have you ever had reports of hacking in your Dnews servers?
Yes.
>If so, what kind of attack was it and how to fix them etc...
Frankly it's very hard to answer this question without giving unacceptable
help to hackers who might find old systems that are still exposed as often
people don't upgrade software for years (despite our best attempts to
tell customers when this might be a good idea :-) and I don't agree
that publicizing security faults is good for customers, certainly it
can help to push companies into providing security patches but in my
experience the web sites that make such information public don't generally
check with the company first to allow them to provide their customers with
a fix 'before' telling the hackers how to attack the system (now I'm
getting on my soap box so I'll stop)
I'll answer in more detail in person if you like, but on this forum
I'll just say we strongly recommend you keep up to date with the
latest releases whenever they mention any security features, currently I would
suggest you ensure you have at least dnews5.5d1 or later for dnews and
dnewsweb.
You can register for email notification of updates etc on this
web page:
http://netwinsite.com/cgi-bin/dnotice.cgi?cmd=addmodify
(This is a very low volume mailing list, select the 'beta' release option
if you want to here urgently about security related features/fixes)
Also note there are some new settings for restricting manager access
to local/known ip addresses, e.g. tellnews_pass_mask 127.0.0.1,10.0.0.*
which are certainly worth using in dnews.conf (although this has never to
our knowledge been used to breach security it's always a theoretical risk)
>What is the best practice for users.
>Is it better to go whit your local dnews ones or OS(Windows)?
I recommend using users.dat as it's faster and simpler too.
>If OS is there ways to give access to certain news groups by the Windows
>groups not by users?
Yes you can define access by usergroups, but as I say I recommend users.dat
instead which can also be used to define usergroups
ChrisP.
