[CentOS] duqu

Wed Dec 7 11:49:08 UTC 2011
Johnny Hughes <johnny at centos.org>

On 12/07/2011 04:32 AM, Ljubomir Ljubojevic wrote:
> Vreme: 12/07/2011 11:12 AM, Johnny Hughes piše:
>> On 12/07/2011 03:59 AM, Nicolas Thierry-Mieg wrote:
>>> Lamar Owen wrote:
>>>> On Tuesday, December 06, 2011 04:58:42 PM Lamar Owen wrote:
>>>>> I happen to have a copy of an older brute-forcer dictionary here (somewhere) and it's very large and has lots of very secure-seeming passwords in it.
>>>>
>>>> I ran down the copy I have; here's an excerpt of one of the dictionaries:
>>>> ++++++++
>>>> root:P7zkJTma
>>>> root:5D8DY22
>>>> root:mc99ZR34Z
>>>> root:IVEUFc
>>>> root:JJc9DicA
>>>> root:zzzzzzz
>>>> root:4m3ric4n
>>>> root:3nglish
>>>> root:g0v3rm3nt
>>>> root:4zur3
>>>> root:bl4ck
>>>> root:blu3
>>>> root:br0wn
>>>> root:cy4n
>>>> root:crims0n
>>>> root:d4rkblu3
>>>> root:d4rk
>>>> root:g0ld
>>>> ++++++++
>>>>
>>>> Yeah, some of those would ordinarily be relatively secure-seeming passwords.
>>>
>>> alphanumeric only isn't so secure-seeming is it? Is this for admins who
>>> log in with a cell phone instead of a real keyboard? ;-)
>>> seriously: I thought the consensus was that a secure password should
>>> contain at least one or more non-alphanumeric characters.
>>
>> The real bottom line is that the only way you should allow access to
>> your machine is via keys ... having an ssh port exposed to the internet
>> that allows password logins is, at some point, going to be breached if
>> someone wants to breach it.
>>
>> You could substitute a | or a ! for some i's in the above passwords and
>> the brute force checker will find those as well.
>>
>> The real issue is that passwords are not going to cut it as your primary
>> security measure to keep people out.
>>
>> You need to limit the ssh port to allowed IP addresses (or subnets), you
>> need to use keys (maybe even keys with pins as secondary option for more
>> security) to access that "IP address controlled" ssh port, and you need
>> to turn off remote root access and allow access from other users who
>> need to run sudo to get root.
>>
>> If you leave a password controlled ssh port that allows root login
>> exposed to the Internet, then the only reason it is not breached is that
>> someone has not yet had a desire to breach it.
>>
> 
> There is also use of denyhosts and fail2ban. They allow only few 
> attempts from one IP, and all users can share attacking IP's (default is 
> every 30 min) so you are automatically protected from known attacking 
> IP's. Any downside on this protection?

No downside, and they do work.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20111207/06a25c66/attachment-0005.sig>