also sprach Matthias Juchem <lists@konfido.de> [2002.01.07.0244 +0100]: > The big problem are the ssh shell accounts. The user can start almost any > program that listens on a socket. You wouldn't have log files from this > program and you can only account the outgoing traffic with iptables. well no, i can block everything but the expected service ports with iptables. i do that anyway... users can still use high ports for data connections from the inside to the outside, but they can't connect to any port that i don't want them to. but yes, they can create active sockets... -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck three things are certain: death, taxes and lost data. guess which has occurred.
Attachment:
pgpNKbGMXU67F.pgp
Description: PGP signature