Path: utzoo!attcan!uunet!peregrine!elroy!ames!oliveb!intelca!mipos3!merlyn From: merlyn@intelob.intel.com (Randal L. Schwartz @ Stonehenge) Newsgroups: news.sysadmin Subject: Re: Security checkup Summary: OK, I'll post Message-ID: <2975@mipos3.intel.com> Date: 5 Oct 88 15:59:26 GMT References: <167@carpet.WLK.COM> <5014@medusa.cs.purdue.edu> <2968@mipos3.intel.com> Sender: news@mipos3.intel.com Reply-To: merlyn@intelob.intel.com (Randal L. Schwartz @ Stonehenge) Distribution: na Organization: Stonehenge; netaccess via BiiN, Hillsboro, Oregon, USA Lines: 44 In-reply-to: merlyn@intelob.intel.com (Randal L. Schwartz @ Stonehenge) In article <2968@mipos3.intel.com>, I wrote: | In article <5014@medusa.cs.purdue.edu>, spaf@cs (Gene Spafford) writes: | | | | Here's a very rough list of things to check: | [...] | | 9) If your system logs bad login attempts to the console, or | | bad attempts to change passwords, then be sure to audit your | | logs -- frequently! | [...] | | I know how to use all but 8 & 9 to break into | | systems, and I am certainly not the only one. | | Arrgggh. No. If you have a feature that "logs bad login attempts to | the console" TURN IT OFF. This is a *bad* *idea* (as Dave Barry would | put it). This has been discussed in security circles, and even on | this net, if I remember correctly. OK, enough people mailed me (hint: stop sending mail!!) saying "How?", and one person even said "If you were trying to keep this from bad guys by not posting, how do you know I am not a bad guy?" Good point. 4.3bsd for example logs just the username to the console. This would seem secure, but in all the times you have logged in, have you never-ever-ever because of network delays, or not paying attention, accidentally entered your password when it said "username"? THAT'S THE PROBLEM. Those that have looked into this have noticed that the "bad login" log almost always contains a valid password *in the clear* during any typical work day. Their conclusion: if a bad login log is maintained, it should have "login failed", but no username if not a valid username. Those that have said "my console log is in a secure place" are only slightly better off. Do you still want a piece of paper that is known to have hardcopy of at least one good password per day floating around the comp center? Enough rambling. Back to hacking with "at"... :-) -- Randal L. Schwartz, Stonehenge Consulting Services (503)777-0095 on contract to BiiN Technical Information Services (for now :-), in a former Intel building in Hillsboro, Oregon, USA or ...!tektronix!inteloa[!intelob]!merlyn Standard disclaimer: I *am* my employer!