Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!accuvax.nwu.edu!delta.eecs.nwu.edu!phil
From: phil@delta.eecs.nwu.edu (William LeFebvre)
Newsgroups: comp.unix.wizards
Subject: Re: Unix network security (was "CERT Internet Security Advisory")
Message-ID: <1068@accuvax.nwu.edu>
Date: 18 Aug 89 20:49:34 GMT
References: <3855@fy.sei.cmu.edu> <1064@accuvax.nwu.edu> <3942@phri.UUCP> <35131@wlbr.IMSD.CONTEL.COM>
Sender: news@accuvax.nwu.edu
Reply-To: phil@delta.eecs.nwu.edu (William LeFebvre)
Organization: Northwestern U, Evanston IL, USA
Lines: 20

In article <35131@wlbr.IMSD.CONTEL.COM> sms@WLV.IMSD.CONTEL.COM.UUCP (Steven M. Schultz) writes:
>	How about inverting the meaning of ".netaccess"?  By this i
>	mean making it a list of hosts/addresses to be rejected.

I was thinking of having two files, along the lines of the new "cron":
".login.allow" and ".login.deny".  There should probably also be a
provision for a system-wide default, so that for example the sysadmin
could set up all accounts to allow remote logins for "*.eecs.nwu.edu".

You realy don't want just a list of "bad guys".  In my thinking,
anyone I can't explicitly name is suspect.  Not because of the
sysadmin or the users at that particular site (after all, they are
just as susceptible to breakins as I am), but more because it is
easier and quicker for me to name those sites I want to log in from
than those I never want to log in from.

		William LeFebvre
		Department of Electrical Engineering and Computer Science
		Northwestern University