unsubscribe
-- Pozdrowienia, Bartek. ### # Keep It Sipmle Stupid! # # http://sknauk.wpk.p.lodz.pl # ### -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
On Sat, Apr 06, 2002 at 08:48:59AM +, Martin WHEELER wrote: On Fri, 5 Apr 2002, Petro wrote: You *like* upgrading 100 servers every few days? You'll have to ask the scripts that do that stuff for me :) So you don't mind verifying ever couple days that none of your quantity one software is going to break because a security fix changed something? -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
SSH password authentification and delays
Hi, I found something quite strange while fiddling with openssh on my firewall... If I try to login using a valid username and a bogus password, I get a slight delay before getting another 'password:' prompt. However, If I use a bogus username _and_ a bogus password, the prompt appears immediately. I tested this on an up-to-date woody system and a sid one, and both exhibit the same behavior. I cannot believe it is intended, as it could be easily used to guess valid usernames remotely with some kind of brute force scanner. The pam_unix auth module seems to support a 'nodelay' argument, but that does not fix the whole brute force thing. Anyone more knowledgeable than me care to comment ? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SSH password authentification and delays
On Sat, Apr 06, 2002 at 05:47:14PM +0200, Vincent wrote: Hi, I found something quite strange while fiddling with openssh on my firewall... If I try to login using a valid username and a bogus password, I get a slight delay before getting another 'password:' prompt. However, If I use a bogus username _and_ a bogus password, the prompt appears immediately. I tested this on an up-to-date woody system and a sid one, and both exhibit the same behavior. I cannot believe it is intended, as it could be easily used to guess valid usernames remotely with some kind of brute force scanner. i noticed the same things if the user/pass are on a NIS server esported to the machine i'm logging cya Samuele -- Samuele Giovanni Tonon [EMAIL PROTECTED] http://www.linuxasylum.net/~samu/ Acid -- better living through chemistry. Timothy Leary -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
unsubscribe
-- Pozdrowienia, Bartek. ### # Keep It Sipmle Stupid! # # http://sknauk.wpk.p.lodz.pl # ### -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
On Fri, 2002-04-05 at 21:54, Petro wrote: On Thu, Apr 04, 2002 at 06:24:18PM +, Martin WHEELER wrote: Fine. You wear the same size suit from birth to death; me, I'll adjust according to circumstances. You *like* upgrading 100 servers every few days? Certainly. Compared to cleaning up the mess after 100 servers get r00ted, or 100 servers get DOS'd, running apt-get upgrade on 100 servers is a walk in the park. Especially since apt-get upgrade on 100 servers could be scripted to run off a secure internal mirror, whereas doing the cleanup might require attention at the console for each of them. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
On Fri, 5 Apr 2002, Petro wrote: You *like* upgrading 100 servers every few days? You'll have to ask the scripts that do that stuff for me :) -- Martin Wheeler [EMAIL PROTECTED] gpg key 01269BEB @ the.earth.li -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
unsubscribe
-- Pozdrowienia, Bartek. ### # Keep It Sipmle Stupid! # # http://sknauk.wpk.p.lodz.pl # ### -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
On Sat, Apr 06, 2002 at 08:48:59AM +, Martin WHEELER wrote: On Fri, 5 Apr 2002, Petro wrote: You *like* upgrading 100 servers every few days? You'll have to ask the scripts that do that stuff for me :) So you don't mind verifying ever couple days that none of your quantity one software is going to break because a security fix changed something? -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Earn 40% per month - every month!
Dear Sir/MadamI obtained your e-mail address from an auto-responder. You are not on a mailing list.I recently joined an investment program. I can now safely say that I have found an investment program that pays, pays well and pays on time.I am now receiving 40% per month on my investment and I also receive 5% of the funds that people I refer invest. Ive just entered my forth month and Ive earned 120% of my investment. Ive also earned quite a bit from referrals thats a bonus I wasnt counting on.The company frowns on spamming so I wont give you the name here. I want to get the word out to make more referral fees before the memberships are full.If you would like to hear more please e-mail me at [EMAIL PROTECTED] and Ill get back to you right away, youll be happy you did.If you are upset you received this e-mail Im sorry but dont worry. This is the only one I will send.Thank you,Cameron MacDonald
SSH password authentification and delays
Hi, I found something quite strange while fiddling with openssh on my firewall... If I try to login using a valid username and a bogus password, I get a slight delay before getting another 'password:' prompt. However, If I use a bogus username _and_ a bogus password, the prompt appears immediately. I tested this on an up-to-date woody system and a sid one, and both exhibit the same behavior. I cannot believe it is intended, as it could be easily used to guess valid usernames remotely with some kind of brute force scanner. The pam_unix auth module seems to support a 'nodelay' argument, but that does not fix the whole brute force thing. Anyone more knowledgeable than me care to comment ? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SSH password authentification and delays
On Sat, Apr 06, 2002 at 05:47:14PM +0200, Vincent wrote: Hi, I found something quite strange while fiddling with openssh on my firewall... If I try to login using a valid username and a bogus password, I get a slight delay before getting another 'password:' prompt. However, If I use a bogus username _and_ a bogus password, the prompt appears immediately. I tested this on an up-to-date woody system and a sid one, and both exhibit the same behavior. I cannot believe it is intended, as it could be easily used to guess valid usernames remotely with some kind of brute force scanner. i noticed the same things if the user/pass are on a NIS server esported to the machine i'm logging cya Samuele -- Samuele Giovanni Tonon [EMAIL PROTECTED] http://www.linuxasylum.net/~samu/ Acid -- better living through chemistry. Timothy Leary -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
unsubscribe
-- Pozdrowienia, Bartek. ### # Keep It Sipmle Stupid! # # http://sknauk.wpk.p.lodz.pl # ### -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
On Fri, 2002-04-05 at 21:54, Petro wrote: On Thu, Apr 04, 2002 at 06:24:18PM +, Martin WHEELER wrote: Fine. You wear the same size suit from birth to death; me, I'll adjust according to circumstances. You *like* upgrading 100 servers every few days? Certainly. Compared to cleaning up the mess after 100 servers get r00ted, or 100 servers get DOS'd, running apt-get upgrade on 100 servers is a walk in the park. Especially since apt-get upgrade on 100 servers could be scripted to run off a secure internal mirror, whereas doing the cleanup might require attention at the console for each of them. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]