On 01/03/2012 04:47 PM, m.roth@5-cent.us wrote:
Having been on vacation, I'm coming in very late in this....
Les Mikesell wrote:
On Tue, Jan 3, 2012 at 4:28 AM, Bennett Haseltonbennett@peacefire.org wrote:
<snip> >> OK but those are *users* who have their own passwords that they have >> chosen, presumably. User-chosen passwords cannot be assumed to be >> secure against a brute-force attack. What I'm saying is that if you're >> the only user, by my reasoning you don't need fail2ban if you just use a >> 12-character truly random password. > > But you aren't exactly an authority when you are still guessing about > the cause of your problem, are you? (And haven't mentioned what your > logs said about failed attempts leading up to the break in...).
Further, that's a ridiculous assumption. Without fail2ban, or something like it, they'll keep trying. You, instead, Bennett, are presumably generating that "truly random" password[1] and assigning it to all your users[2], and not allowing them to change their passwords, and you will be changing it occasionally and informing them of the change.[3]
Right?
mark
- How will you generate "truly random"? Clicks on a Geiger counter? There
is no such thing as a random number generator. 2. Which, being "truly random", they will write down somewhere, or store it on a key, labelling the file "mypassword" or some such. 3. How will you notify them of their new password - in plain text?
Bennet was/is the only one using those systems, and only as root. No additional users existed prior to breach. And he is very persisting in placing his own opinion/belief above those he asks for help. That is why we have such a long long long thread. It came to the point where I am starting to believe him being a troll. Not sure yet, but it is getting there.
I am writing this for your sake, not his. I decided to just watch from no on. This thread WAS very informative, I did lear A LOT, but enough is enough, and I spent far to much time reading this thread.