[CentOS] duqu

Ljubomir Ljubojevic office at plnet.rs
Wed Dec 7 10:32:00 UTC 2011 

Vreme: 12/07/2011 11:12 AM, Johnny Hughes piše:
> On 12/07/2011 03:59 AM, Nicolas Thierry-Mieg wrote:
>> Lamar Owen wrote:
>>> On Tuesday, December 06, 2011 04:58:42 PM Lamar Owen wrote:
>>>> I happen to have a copy of an older brute-forcer dictionary here (somewhere) and it's very large and has lots of very secure-seeming passwords in it.
>>>
>>> I ran down the copy I have; here's an excerpt of one of the dictionaries:
>>> ++++++++
>>> root:P7zkJTma
>>> root:5D8DY22
>>> root:mc99ZR34Z
>>> root:IVEUFc
>>> root:JJc9DicA
>>> root:zzzzzzz
>>> root:4m3ric4n
>>> root:3nglish
>>> root:g0v3rm3nt
>>> root:4zur3
>>> root:bl4ck
>>> root:blu3
>>> root:br0wn
>>> root:cy4n
>>> root:crims0n
>>> root:d4rkblu3
>>> root:d4rk
>>> root:g0ld
>>> ++++++++
>>>
>>> Yeah, some of those would ordinarily be relatively secure-seeming passwords.
>>
>> alphanumeric only isn't so secure-seeming is it? Is this for admins who
>> log in with a cell phone instead of a real keyboard? ;-)
>> seriously: I thought the consensus was that a secure password should
>> contain at least one or more non-alphanumeric characters.
>
> The real bottom line is that the only way you should allow access to
> your machine is via keys ... having an ssh port exposed to the internet
> that allows password logins is, at some point, going to be breached if
> someone wants to breach it.
>
> You could substitute a | or a ! for some i's in the above passwords and
> the brute force checker will find those as well.
>
> The real issue is that passwords are not going to cut it as your primary
> security measure to keep people out.
>
> You need to limit the ssh port to allowed IP addresses (or subnets), you
> need to use keys (maybe even keys with pins as secondary option for more
> security) to access that "IP address controlled" ssh port, and you need
> to turn off remote root access and allow access from other users who
> need to run sudo to get root.
>
> If you leave a password controlled ssh port that allows root login
> exposed to the Internet, then the only reason it is not breached is that
> someone has not yet had a desire to breach it.
>

There is also use of denyhosts and fail2ban. They allow only few 
attempts from one IP, and all users can share attacking IP's (default is 
every 30 min) so you are automatically protected from known attacking 
IP's. Any downside on this protection?


-- 

Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant

More information about the CentOS mailing list