Vreme: 12/07/2011 11:12 AM, Johnny Hughes piše:
On 12/07/2011 03:59 AM, Nicolas Thierry-Mieg wrote:
Lamar Owen wrote:
On Tuesday, December 06, 2011 04:58:42 PM Lamar Owen wrote:
I happen to have a copy of an older brute-forcer dictionary here (somewhere) and it's very large and has lots of very secure-seeming passwords in it.
I ran down the copy I have; here's an excerpt of one of the dictionaries: ++++++++ root:P7zkJTma root:5D8DY22 root:mc99ZR34Z root:IVEUFc root:JJc9DicA root:zzzzzzz root:4m3ric4n root:3nglish root:g0v3rm3nt root:4zur3 root:bl4ck root:blu3 root:br0wn root:cy4n root:crims0n root:d4rkblu3 root:d4rk root:g0ld ++++++++
Yeah, some of those would ordinarily be relatively secure-seeming passwords.
alphanumeric only isn't so secure-seeming is it? Is this for admins who log in with a cell phone instead of a real keyboard? ;-) seriously: I thought the consensus was that a secure password should contain at least one or more non-alphanumeric characters.
The real bottom line is that the only way you should allow access to your machine is via keys ... having an ssh port exposed to the internet that allows password logins is, at some point, going to be breached if someone wants to breach it.
You could substitute a | or a ! for some i's in the above passwords and the brute force checker will find those as well.
The real issue is that passwords are not going to cut it as your primary security measure to keep people out.
You need to limit the ssh port to allowed IP addresses (or subnets), you need to use keys (maybe even keys with pins as secondary option for more security) to access that "IP address controlled" ssh port, and you need to turn off remote root access and allow access from other users who need to run sudo to get root.
If you leave a password controlled ssh port that allows root login exposed to the Internet, then the only reason it is not breached is that someone has not yet had a desire to breach it.
There is also use of denyhosts and fail2ban. They allow only few attempts from one IP, and all users can share attacking IP's (default is every 30 min) so you are automatically protected from known attacking IP's. Any downside on this protection?