[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Secure Finger Daemon



I'm not sure which are secure. However, if you plan to use any of them, I
suggest using tcp-wrappers (tcpd) via inetd (or xinetd). Then edit your
hosts.allow file and explicitly allow only certain machines to access your
box.

Also, consider running whichever finger daemon as a separate user (i.e.
finger). Most of the famous exploits of finger are due to the fact that it
is often run as root. However, fingerd requires no information that
requires root access to the machine.

		-rishi

On 5 Jan 2002, eim wrote:

> Hello,
>
> I'm planing to install a secure finger daemon
> on one of the public boxes I admin.
>
> Well, out there are really many different finger
> daemons and in the Debian stable tree I can find:
>
> 	* efingerd - Another finger daemon for unix
> 		   capable of fine-tuning your output.
> 	* xfingerd - BSD-like finger daemon with qmail support.
> 	* ffingerd - A secure finger daemon
> 	* fingerd - Remote user information server.
> 	* cfingerd - Configurable and secure finger daemon
>
> So I've considered using fingered which should be secure.
>
> Often I hear and read about exploited finger daemons which
> gave the attacker system access so I'm asking on this list
> help about the F Daemon.
>
> Which Finger daemon is *really* secure ?
> Shouldn't I install this service at all ?
> Any experiences about compromised systems ?
>
> Thanks for any help !
> Have a nice time,
>  - Ivo
>
> --
>
>                
>  Ivo Marino                    eim@eimbox.org
>  UN*X Developer, running Debian GNU/Linux
>  irc.OpenProjects.net #debian
>  http://eimbox.org
>                
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>



Reply to: