Re: security issues & LOCALHOST
- Posted by Hawke' <mdeland at GEOCITIES.COM> Dec 19, 1998
- 358 views
isaac wrote: >In fact, no matter >the encryption sceme, if the attacker has access to >the server source, he >can break in. nooooo.... :) you may have missed my other post about this, or perhaps i could have phrased it better... if u r runnin on win9x, then it's entirely likely that no one but you has access to your machine, directly, unless you allow people via some sort of PCAnywhere clone. Ignoring that situation for now, let's look instead at a winNT type of setup, whereby your machine is not only hosting a FTP/HTTP/whatever server with EUServ, but also allows "shell" accounts as well. In my prior post, I described how allowing a person designated as a "coder" might be allowed to have access to the code, but not be able to do anything about it. To wit: if you run the server as a "root" process, then the only way to shutdown and restart the server is 1> internally with the reboot command or the shutdown command, if you are trusted to IMPLEMENTOR level. 2> using the winNT equivalent of "kill" if you are logged into the winNT machine as root. So, the coder makes changes to the code, but unless he has root priv on your machine, or is designated an IMPLEMENTOR within the server itself, he cannot make those changes effective. After this coder makes the changes, it would be up to you to review the changes he made before restarting the server to implement the changes. I really do not see any benefit to having coders, that have access to the code, with priv enough to *change* the code, (after all, the priv on the code itself should NOT be set to allow modification by 'world', only 'owner' and 'group') and not have these people actually be trusted enough to be set to IMPLEMENTOR level anyway... if you trust them enough to give them a shell to your machine and enough to allow them to change your code (by adding them to the 'group' that the code priv is assigned), i cannot see you not trusting them enough to be IMPLEMENTOR level anyway.... BUT!, the provision and the technique is there if you dont trust them enough and you still want their help coding... hopefully, this rephrasing will explain things a wee better??? > I ran "telnet localhost 9000" > telnet opened and told me "could not open a connection with localhost" > what did I do wrong? technically, nothing... technically, everything :) there is a problem/quirk with win9x and localhost that was discovered recently, and it basically doesn't work.... you can do one of two things: 1> replace the word localhost with the *name* of your machine. the name of your machine is found in (potentially) 2 places. one of these places takes precedence over the other... under control panel/networking choose the identification tab, and write down what it says your "Computer Name" is, unless it's blank. then, click the configuration tab, and highlight the tcp-ip mapping to dialUpAdapter, then properties for that setting. then, choose DNS configuration tab. Irregardless of whether it says that DNS is Enabled or Disabled, just under the EnableDNS radio box/circle, you will see Host and Domain. write down what is entered where it says Host. In theory, these two setting should be the same... continously hit the 'cancel' button until you are out of control panel... now, crank the server, and try the name you found listed under Host (dns config) first: telnet {Host} 9000 if that doesnt work, try the name you found under Computer Name, telnet {CompName} 9000.... if neither of these entries have anything in them, you could place something in there that you would like your machine to be named. place it into both locations, before you hit any ok/cancel buttons, then hit 'ok' and it'll prolly gripe that you need the win95 cd. clear the modal window and when it is showing you the file location/open dialog box, (like d:\ browse) and you will likely be looking for something with the word secur??.dll... if all that seems like is what is happening, click CANCEL.... you do NOT need to go find/replace secur??.dll... then after the cancel is pressed, you will (should be) asked to reboot... if you have anything running, close it all down, saving as you go... then yes, reboot to have win9x snarf your new machine name... after all that, if you followed me, and my explanation via typing of this is prolly not as good as it could be... when you retry telnet {newhostname} 9000 and you are NOT connected to the internet, it *should* work. 2>if you are connected to the internet, you can use telnet {yourIP} 9000... (the ip that winipcfg likely gave you unless you are using a gateway or firewall... a whole new concept...) the method (#1) above worked for me, & worked well. it also worked for Blackdog and Isande. furthermore, Isande and I have a multiple machine intranet here, and the technique allows us to boot the server on any machine within the lan and telnet {specificmachinename} 9000 and walk right on into the server... even more fun, I have found a method whereby you can host the EUserver **INSIDE** a gateway/lan, as in **behind** a firewall, on a dedicated machine (if u desire) or any machine of your choosing behind the gateway machine, and people outside the local lan can telnet into the local lan and to the proper machine within the lan and access the EUServer :) its a bit of work tho :) hope this helps all those that have been asking about localhost issues... _/ _/ _/_/_/ _/ _/ _/ _/ _/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/ _/_/_/ _/ _/ _/_/ _/_/ _/ _/ _/ _/ _/_/_/ _/ _/ _/ _/ _/ _/ _/ _/_/_/ _/ _/ _/_/_/ ({<=----------------------------------------=>}) ({<=- http://members.xoom.com/Hawkes_Hovel> -=}) ({<=----------------------------------------=>})