On 12/07/2011 04:32 AM, Ljubomir Ljubojevic wrote: > Vreme: 12/07/2011 11:12 AM, Johnny Hughes piše: >> On 12/07/2011 03:59 AM, Nicolas Thierry-Mieg wrote: >>> Lamar Owen wrote: >>>> On Tuesday, December 06, 2011 04:58:42 PM Lamar Owen wrote: >>>>> I happen to have a copy of an older brute-forcer dictionary here (somewhere) and it's very large and has lots of very secure-seeming passwords in it. >>>> >>>> I ran down the copy I have; here's an excerpt of one of the dictionaries: >>>> ++++++++ >>>> root:P7zkJTma >>>> root:5D8DY22 >>>> root:mc99ZR34Z >>>> root:IVEUFc >>>> root:JJc9DicA >>>> root:zzzzzzz >>>> root:4m3ric4n >>>> root:3nglish >>>> root:g0v3rm3nt >>>> root:4zur3 >>>> root:bl4ck >>>> root:blu3 >>>> root:br0wn >>>> root:cy4n >>>> root:crims0n >>>> root:d4rkblu3 >>>> root:d4rk >>>> root:g0ld >>>> ++++++++ >>>> >>>> Yeah, some of those would ordinarily be relatively secure-seeming passwords. >>> >>> alphanumeric only isn't so secure-seeming is it? Is this for admins who >>> log in with a cell phone instead of a real keyboard? ;-) >>> seriously: I thought the consensus was that a secure password should >>> contain at least one or more non-alphanumeric characters. >> >> The real bottom line is that the only way you should allow access to >> your machine is via keys ... having an ssh port exposed to the internet >> that allows password logins is, at some point, going to be breached if >> someone wants to breach it. >> >> You could substitute a | or a ! for some i's in the above passwords and >> the brute force checker will find those as well. >> >> The real issue is that passwords are not going to cut it as your primary >> security measure to keep people out. >> >> You need to limit the ssh port to allowed IP addresses (or subnets), you >> need to use keys (maybe even keys with pins as secondary option for more >> security) to access that "IP address controlled" ssh port, and you need >> to turn off remote root access and allow access from other users who >> need to run sudo to get root. >> >> If you leave a password controlled ssh port that allows root login >> exposed to the Internet, then the only reason it is not breached is that >> someone has not yet had a desire to breach it. >> > > There is also use of denyhosts and fail2ban. They allow only few > attempts from one IP, and all users can share attacking IP's (default is > every 30 min) so you are automatically protected from known attacking > IP's. Any downside on this protection? No downside, and they do work. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 262 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20111207/06a25c66/attachment-0005.sig>