On Thu, 2008-04-17 at 12:00 +1000, [EMAIL PROTECTED] wrote: > Sounds like you are being very thorough in your security. > > If you want to add another layer of defense, you can change > your > Apache config to forbid download of the passwd file. > > If your /etc/passwd file was really downloaded, it is > conceivable a > password could be cracked, but you limit connections to just a > couple > of addresses.
NOT TRUE. Nothing in /etc/passwd mentions *passwords* in any vaguely modern distro, specially mandrake 3 ond CentOS 5.1. (ref /etc/shadow) Giving passwd to the bad guys lets them try 'keith and james' instead of taking a punt on 'fred and bill'. That is the reason for no root login the name 'root' is a certain hit. In all the years noone has ever tried my non standard ssh port! > > If I were in your place, I wouldn't be too worried about this > message, but I'd take measures to make sure my passwd file was > not > downloadable. > James -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
