K, last post, 'cause this IS getting off topic. :)
Ryan Russell wrote:
> If you do that, you can forget ever keeping out anyone you didn't invite.
> Not only can I give away the password (not that guest isn't the first
> one I'd guess anyway) but I can do so without you knowing it
> was me who gave it away. If I've got my own, at least you can guess
> that it was me that posted it to alt.2600, after 100 uninvited people
> show up.
That was the general idea - if I put the login and pass into the
banner, and then expect people NOT to log in uninvited, I'd be working
for <name of client removed to preserve anonymity>. :)
> My complaint about the happy hacker contests (yes, I'd like to poke
> around in there when I'm bored) is that the machines are so heavily
> loaded down with script kiddies, I can't get in. Or, when I do, I can't
> get a keystroke in edgewise.
This is basically what I'm out to avoid.
> Requiring SSH, then a unique name and password on the gateway
> that had to be applied for, followed by having to have some account
> on the inside boxen, will help keep the noise down somewhat.
Exactly. Most script kiddies can't figure out much past 'gcc -o2 smurf
smurf.c'. That's MOST - I'm well aware there are some semi-advanced
kids around. Script-teenagers? Dunno.
> Well, frankly, do what the porn sites do. Understand that passwords will
> be given away. Then, you watch for the same account being used
> simultaneously from many IP addresses, and flag it as compromised.
This is the best suggestion yet - multiple logins are fine, but if
they're from different IP's disables the account, kicks the user off,
and mails the owner of the account with time and date, then challenges
them for a second password to rebuild the account - perhaps a challenge
question similar to Hotmail, though not quite so generic. :) That will
probably be the best way to do it.
> > EXACTLY! There truly are; but, in order to do so, you have to both a.)
> >REALLY know what you're doing - have you ever talked in depth about Unix
> >to a script-kiddie? and b.) Put some time and effort into it. At that
> >point, are you going to stick around for a while and play, or
> >maliciously break stuff for the joy of breaking it? :) People that know
> >how to MAKE the tools they need are rarely destructive.
>
> Would I not be leaving the compiler behind after I got it installed properly?
I'd hope so. Since you'd need root to do this, I'd also hope that
you'd put a note into a central "root_changes" file or something to give
yourself credit for it. ;)
> I forgot before... make certain that the inside machines can't get back out the
> the Internet. Otherwise, there is a BIG incentive to get into your playground.
Heh - that was obvious. This is the reason for the gateway - building
a private network that can't touch or be touched by the outside world.
The only way in is the gateway, there would be NO way out.
Cheers,
- Drew.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
