-------------- Original message ----------------------
From: "Dave Yeo" 
> On Tue, 07 Mar 2006 04:50:37 +0000, rallee2{at}comcast.net wrote:
> 
> > Unless one has aridiculous number of services starting
automatically OS/2 is 
> extrememly secure
> 
> Actually filesharing using the stock netbios over tcpip is very
insecure on OS/2 
> due to 
> the weak user and password encrypting.
> IIRC all letters are capitialized and limited to 8 chars split into 2 blocks of 
> 4 chars. So a 
> brute force attack could easily succeed.
> I'd imagine the samba port is secure.
> Dave
> 

  Hello Dave
   I'd like to ask you if you've ever actually been compromised even
through netbios over TCPIP?  While I agree that password discovery might be
feasible any decent firewall and/or port sentry will prevent the vast
majority of attacks even if all one does is to put services vulnerable on
ports above 1024.  I commonly use ports above 55000 since most bots stop
searching for ports above 1024 and actively "patrol" ports below
1024.  It's just too time consuming for whatever it might be worth on a
personal PC, even a business oriented one, not to mention that predators
pick on weak prey.  Any indication that a network is admin'd by someone
savvy generally sends black hatters scurrying off to find the all too
commonplace unprotected networks.  Why risk getting caught? 

  You can't connect to enter a username and password without capturing a
socket through a port.  It is quite easy to setup one's logs to print out,
either on paper (dot-matrixes get LOUD) or to an alarm file or any number
of apps designed to monitor such things so that even a simple ping will
come to your immediate attention.   Then you can decide to traceroute him,
DDOS him, or simply shutdown either the network or the machine if you're
particularly paranoid.  All I'm saying is that relying on name and password
alone is the big mistake.  There are numerous workarounds handled by
permissions, etc that can increase security even when file-sharing is
allowed.  Box it off.  Plus, invest a little time into setting up the
network port structure and alarms and it is as safe as it gets.  Well, I
suppose one could actually employ a hardware firewalled router in between
the hotel connection and your PC at minimal cost to add another layer if
one is either excessively parnoid or carries around t

ruly sensitive data on one's box.

  Incidentally the Nessus security testing platform includes several types
of brute force applications and a few that are truly viscious.  As I said,
my simple network on OS/2 resisted it totally during a continuous,
multi-pronged, 45 minute attack attempt.  Not only must one get in, one has
to be able to do something "useful" once you're in.  There are
many ways to isolate any user not specifically named, and if you are the
only one named, that's everybody else if you disallow multiple login
instances.  I know a guy who sets his network available binary path to a CD
containing the binaruies.  That way he can't be root-kitted since one
cannot rewrite, delete, or copy over a CD. He says it can be limiting for
him as well but when he wants total security he can run a script which
activates the changeover.  There's just lot's of ways to be secure.

Jimmy


 
Yahoo! Groups Links

 To visit your group on the web, go to:
    http://groups.yahoo.com/group/os2hardware/

 To unsubscribe from this group, send an email to:
    os2hardware-unsubscribe{at}yahoogroups.com

 Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/
 



---