On Tuesday, December 11, 2012, at 7:48:13 AM, Richard Shaw wrote:
> On a side note, system accounts shouldn't have shell access for
> security reasons, when I want to login as backuppc I have to use, "su
> -s /bin/bash backuppc" or something like that.
This is definitely worth emphasizing. The only time I've been invaded in
the past decade was a result of allowing backuppc to have shell access,
together with other security failures such as allowing EXEC permission to
my FTP server for logged-in and authenticated users, and using passwords
rather than private keys for authenticating the Win98 boxes. The invader
somehow managed to log in via FTP, as backuppc, and search my LAN. While I
discovered the intrusion within an hour or two, I had to reformat every
machine on the LAN and re-install everything.
I no longer allow EXEC via FTP for anyone, and have taken the Win98 boxes
off line. The backuppc user is more tightly restricted, on the "need to