Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 17 Jan 2000 00:40:45 +1100
From:      aunty <aunty@comcen.com.au>
To:        Igor Roshchin <igor@physics.uiuc.edu>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: Disallow remote login by regular user.
Message-ID:  <20000117004045.G14280@comcen.com.au>
In-Reply-To: <200001161255.GAA19043@alecto.physics.uiuc.edu>
References:  <20000116214058.D14280@comcen.com.au> <200001161255.GAA19043@alecto.physics.uiuc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sun, Jan 16, 2000 at 06:55:46AM -0600, Igor Roshchin wrote:
> 
> I realize that everybody might have local rather weird situation.
> However, it sounds like you have some problems which are not related
> to the _system_ administration, but just to the _personnel_ administration.

Show me a site that doesn't :-) How many incidents are the result of a
mistake or lack of insight/understanding or communication of the personnel?
Enough to make optimistic predictions about future staff actions unwise.

> I mean that you are trying protect your machine from somebody else,
> changing its configuration  (modification of /etc/shells, /etc/inetd.conf)..
> 
> System can not be made fool-proof from one who has root-priveleges. :)

Certainly :-) That doesn't mean one should stop offering extra precautions.
Even if they don't deserve protection from themselves, their users do.
For this particular machine, the security/convenience balance can
afford to sway towards less convenient and more safe, so why not.

> Let me through in one more stone in this pile of solutions.
> Unless I missed it, nobody has mentioned it yet.
> 
> One can configure tcpd (tcpwrappers) - "hosts.deny" (hosts.allow) file
> to disallow any external access from any host via any protocol,
> while allowing connections from specific hosts via specific protocols.
> 
> While this does not do any per user access limitations, it still
> can help you or other folks asking earlier in armoring their boxes.
> 
> Hope, this helps...

Thanks :-)

-- 

Regards,
        -*Sue*-
 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000117004045.G14280>