[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: security standards

good luck.

I've been trying to get people to take the simple precaution of closing idle sessions for years and, apart from having one employee compare me unflatteringly to his toddler son, I've basically had no response.

never mind that an idle session (on a locked terminal) is how monkey.org got hacked, remotely a few years ago.


On Mar 14, 2005, at 11:51 PM, Willie Northway wrote:

On Mar 14, 2005, at 10:32 PM, gelle@xxxxxxxxx wrote:
Since we don't audit desktop security (screensaver locking, etc) I wonder
about this risk of this, since they could be open over weekends, holidays,
etc. This seems like a big vulnerability to me.

I wholeheartedly agree. I'd suggest cutting off anyone's session that's been idle for longer than an hour or two. I'd suggest using something like these parameters in /etc/openssh/sshd_config (or whatever the equivalent is for Solaris):

ClientAliveInterval 300		#every 5 minutes
ClientAliveCountMax 18		#5 min. x 18 tries == 90 minutes

These are totally arbitrary values. But seriously, how difficult is it to enter your username and password to login again?

- Willie

Willie Northway                  University of Michigan Webmaster Team
http://willienorthway.com/       http://www.umich.edu/~umweb/


... being a rock I am without movement ...