>Hi All, > >I was just wondering what kind of security mailman offers, as far as >protecting user passwords goes? > >A techy friend of mine has just kindly emailed me a list of all users >and their passwords! Looking at my server logs it would appear that he >snuck in somehow via anonymous ftp. > >Would closing the anon. ftp service stop mailman working in anyway, or >dya reckon he got in some place else? > >Cheers > >Dino
You have some big problems if this is what happened. Your entire system is insecure and ready to be (pl)ucked by anyone who has a little know-how. Anonymous ftp should chroot to a specific directory, and if a user can logon to anon-ftp and get more info then it is completely set up wrong. Closing anon-ftp is a must-do first step. Really, you should do a full system audit, or preferably format and re-install with all clean user info (user/passwd pairs), updated *_everything_* and all programs tightened down to paranoid levels. Take it as a lesson in security, and don't let it happen again is about the best you can get out of this. The real concern here is the passwords. They are supposed to be encrypted, human-unreadable except by the passwd program OR a *_sniffer_program_*. If you're friend was able to get them, so is just about any script-kiddie able to. ------------------------------------------------------ Mailman-Users mailing list [EMAIL PROTECTED] http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ This message was sent to: archive@jab.org Unsubscribe or change your options at http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
