LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-17-2005, 09:54 AM   #1
hagen00
LQ Newbie
 
Registered: May 2005
Distribution: Debian Sarge, Ubuntu Dapper
Posts: 14

Rep: Reputation: 0
local user name and password exposed


Hello,

i am new to linux and am wondering what the security implications are if a local user name and password gets into the hands of the wrong people.

Why i ask this is because i'm doing an ftp upload and for this i've created a java applet, that has a hard coded username and password. It's fairly easy to decompile java code and get access to this user information - who is the apache user.

Is this a big problem? If i restrict ssh to only allow one user eg ssh_user then what harm can a cracker do, armed with my apache user name and password? What other means are there of making use of this? Telnet is disabled...Can this be used to access my system in any other way?

Thanks!

hagen
 
Old 05-17-2005, 10:34 AM   #2
PTrenholme
Senior Member
 
Registered: Dec 2004
Location: Olympia, WA, USA
Distribution: Fedora, (K)Ubuntu
Posts: 4,151

Rep: Reputation: 331Reputation: 331Reputation: 331Reputation: 331
Wouldn't a better question be "How do I configure FTP so uploads do not require a userid and password?" I believe that this is the way almost all ftp sites are configured, and the risk, however small, of exposing user names and passwords is avoided.

And haven't you somewhat increased you risk by advertising, in a public forum, your intent to make your system's user name and password part of your script?

As to the answer to my proposed question, there are several documents available (here and elsewhere) which provide such methods -- and I'm not actually knowledgeable enough to offer any better advice than the common one to RTM.
 
Old 05-17-2005, 10:43 AM   #3
hagen00
LQ Newbie
 
Registered: May 2005
Distribution: Debian Sarge, Ubuntu Dapper
Posts: 14

Original Poster
Rep: Reputation: 0
Hi,

thanks for your reply. I can configure vsftpd to use anonymous uploads (it should do so by default) but for some reason my vsftpd server doesn't like anon connections. But i'm sure i can fix that somehow. So i'm not asking for ftp setup help.

My question was actually just what harm people can do with a username and password combination...judging from your reply...lots of harm it seems. But how? Through ssh? That can be made secure quite easily i think. How else? How else can remote users log into your system with a username and password combination...

Thanks

h
 
Old 05-17-2005, 10:57 AM   #4
PTrenholme
Senior Member
 
Registered: Dec 2004
Location: Olympia, WA, USA
Distribution: Fedora, (K)Ubuntu
Posts: 4,151

Rep: Reputation: 331Reputation: 331Reputation: 331Reputation: 331
The problem is that there are lots of clever people out there, and it only takes one of them to find a way to exploit your system. Handing them the keys doesn't make it harder. My point: I'm not sure what specific problems you'd have, but strongly suspect that you don't want to find out.

I was just looking at another post, and found a reference to "http://pureftpd.sourceforge.net/" which is a "Secure" FTP server. I did understand that you weren't looking to replace your FTP server, but you might want to take a look at that one.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Setup local machine to allow lan machines to retrieve its local user mail. Brian1 Linux - Networking 3 03-30-2006 05:04 AM
Help! Cannot Add a User to User Manager or Change Root Password lennysokol Linux - General 2 06-25-2005 09:59 AM
Samba -- XP user can log in to shares but smbclient user always gets password errors ejoe Linux - Software 3 04-18-2005 10:55 AM
what is the command to make a user change their password after creating a new user? naweenio Linux - Newbie 7 01-05-2005 07:07 AM
change password local user vsftp ?? cosmonate Linux - Security 8 02-19-2003 07:56 AM


All times are GMT -5. The time now is 03:30 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration