Книга: Linux Network Administrator Guide, Second Edition

Protecting Yourself Against Swindlers

Protecting Yourself Against Swindlers

A major problem with UUCP is that the calling system can lie about its name; it announces its name to the called system after logging in, but the server doesn't have any way to check it. Thus, an attacker could log into his or her own UUCP account, pretend to be someone else, and pick up that other site's mail. This is particularly troublesome if you offer login via anonymous UUCP, where the password is made public.

You must guard against this sort of impostor. The cure for this disease is to require each system to use a particular login name by specifying a called-login in sys. A sample system entry may look like this:

system          pablo
... usual options ...
called-login    Upablo

The upshot is that whenever a system logs in and pretends it is pablo, uucico checks whether it has logged in as Upablo. If it hasn't, the calling system is turned down, and the connection is dropped. You should make it a habit to add the called-login command to every system entry you add to your sys file. It is important that you do this for all systems in your sys file, regardless of whether they will ever call your site or not. For those sites that never call you, you should probably set called-login to some totally bogus user name, such as neverlogsin.

Оглавление книги