[CentOS] duqu

Wed Dec 7 10:12:19 UTC 2011
Johnny Hughes <johnny at centos.org>

On 12/07/2011 03:59 AM, Nicolas Thierry-Mieg wrote:
> Lamar Owen wrote:
>> On Tuesday, December 06, 2011 04:58:42 PM Lamar Owen wrote:
>>> I happen to have a copy of an older brute-forcer dictionary here (somewhere) and it's very large and has lots of very secure-seeming passwords in it.
>>
>> I ran down the copy I have; here's an excerpt of one of the dictionaries:
>> ++++++++
>> root:P7zkJTma
>> root:5D8DY22
>> root:mc99ZR34Z
>> root:IVEUFc
>> root:JJc9DicA
>> root:zzzzzzz
>> root:4m3ric4n
>> root:3nglish
>> root:g0v3rm3nt
>> root:4zur3
>> root:bl4ck
>> root:blu3
>> root:br0wn
>> root:cy4n
>> root:crims0n
>> root:d4rkblu3
>> root:d4rk
>> root:g0ld
>> ++++++++
>>
>> Yeah, some of those would ordinarily be relatively secure-seeming passwords.
> 
> alphanumeric only isn't so secure-seeming is it? Is this for admins who 
> log in with a cell phone instead of a real keyboard? ;-)
> seriously: I thought the consensus was that a secure password should 
> contain at least one or more non-alphanumeric characters.

The real bottom line is that the only way you should allow access to
your machine is via keys ... having an ssh port exposed to the internet
that allows password logins is, at some point, going to be breached if
someone wants to breach it.

You could substitute a | or a ! for some i's in the above passwords and
the brute force checker will find those as well.

The real issue is that passwords are not going to cut it as your primary
security measure to keep people out.

You need to limit the ssh port to allowed IP addresses (or subnets), you
need to use keys (maybe even keys with pins as secondary option for more
security) to access that "IP address controlled" ssh port, and you need
to turn off remote root access and allow access from other users who
need to run sudo to get root.

If you leave a password controlled ssh port that allows root login
exposed to the Internet, then the only reason it is not breached is that
someone has not yet had a desire to breach it.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20111207/56fd1c25/attachment-0005.sig>