securing shell accounts discussion

securing shell accounts discussion

Post by David Hil » Tue, 29 Aug 2000 04:00:00



I know offering shell account services is dangerous because of all the
script and warez kiddies.  Blocking warez could be as simple as using
quotas.

What are some ways, if any, to prevent abuse on systems.

For example:  for (;;) fork();

I am not sure of all the problems that occur with offering shell accounts.
Would anyone be willing to share problems they face and possible solutions
for them?

Thanks
David

 
 
 

securing shell accounts discussion

Post by Phi » Wed, 30 Aug 2000 04:00:00



Quote:>I know offering shell account services is dangerous because of all the
>script and warez kiddies.  Blocking warez could be as simple as using
>quotas.

>What are some ways, if any, to prevent abuse on systems.

>For example:  for (;;) fork();

>I am not sure of all the problems that occur with offering shell accounts.
>Would anyone be willing to share problems they face and possible solutions
>for them?

Setting proper ulimits for each user.
On FreeBSD each user is in a separate login class, (you can control which
login classes people are in by using pw, man 8 pw)
By default on FreeBSD /etc/login.conf holds information about the different
ulimits by default, so for example

# Default users login
default:\
        :copyright=/etc/COPYRIGHT:\
        :welcome=/etc/motd:\
        :setenv=MAIL=~/.mailspool,BLOCKSIZE=K:\
        :path=/bin /usr/bin /usr/local/bin\
        :nologin=/var/run/nologin:\
        :cputime=600:\
        :datasize=50M:\
        :stacksize=50M:\
        :memorylocked=50M:\
        :memoryuse=50M:\
        :filesize=50M:\
        :coredumpsize-max=50M:\
        :coredumpsize-cur=0k:\
        :openfiles=300:\
        :maxproc=50:\
        :timezone=Europe/Dublin:\
        :umask=022:

This sets some default values, cputime, memorylock, max processes, etc.
man 5 login.conf for more details.
Phil.

 
 
 

securing shell accounts discussion

Post by Chuck Swige » Thu, 31 Aug 2000 04:00:00



> What are some ways, if any, to prevent abuse on systems.

Set resource limits.  Limit your userbase to responsible individuals.  Have
monitoring tools in place and out-of-band management capabilities.

-Chuck


        -------------+-------------------+--------------------
        "Pavlovian slaver at the cash till ring of success..."