On Sat, 2006-04-01 at 10:28, Craig White wrote: > I hear people talk about the lack of security in Windows but it seems to > me, exposing a Linux system to the Internet with shell accounts and weak > passwords is far more insecure than a typical Windows system. There's about 50,000 reasons you are wrong, mostly in the form of windows viruses that attack the rpc and similar services. On windows you don't need the equivalent of shell access since you can do anything through the remote management console. As long as unpatched exploits exist (and they are still being found), passwords don't matter. Even without exploits, anything running with domain admin privileges can do anything/anywhere and if you don't have a domain the same is true for machines that share the same admin password. Thus even if the rpc, netbios, and http ports are firewalled, if you can get an admin to execute a trojan or open an email that auto-executes, you've got access to the whole network. Not that your point about bad passwords is any less valid... The missing piece on linux is an option to rate-limit password guessing in ssh and automatically blacklist addresses that fail more than a few times. There are some add-on wrappers, but sshd should do it by itself with some sane defaults. -- Les Mikesell lesmikesell@xxxxxxxxx
