[CentOS] what percent of time are there unpatched exploits against default config?

Sat Dec 31 16:58:23 UTC 2011
Ljubomir Ljubojevic <office at plnet.rs>

On 12/31/2011 03:13 PM, Johnny Hughes wrote:
> On 12/30/2011 11:02 PM, Alex Milojkovic wrote:
>> I think the best password policy is the one you've never told anyone and never posted on a public mailing list.
>> How many of you out there know of cases where administrators' passwords were compromised by brute force?
>> Can we take a count of that?
> I know of plenty ... people contact security at centos.org all the time
> after having their machines compromised by brute force.
> Here are a couple of articles for you to read:
> http://www.gtri.gatech.edu/casestudy/Teraflop-Troubles-Power-Graphics-Processing-Units-GPUs-Password-Security-System
> http://www.pcpro.co.uk/blogs/2011/06/01/how-a-cheap-graphics-card-could-crack-your-password-in-under-a-second/
>> I believe in passwords. I don't believe in PKI.
>> It's a lot more likely that I will forget my laptop somewhere, or that someone will steal my usb key than that someone will guess my password and have opportunities to try it.
>> PKI is convenience and if your password is 20-30 characters it will take long time to break it.
>> Password crack estimator
>> http://www.mandylionlabs.com/documents/BFTCalc.xls
>> Spreadsheet is safe (take my word for it) ha,ha
>> Scenario of botnet with 1000 PCs making attempts to crack are password ain't gonna happen.
> You don't need a botnet of 1000 PCs ... you only need a couple of
> graphics cards.

Can you please explain how this is possible by attacking linux via ssh 
brute force. I fail to see it. If attacks are throttled via ssh config 
and fail2ban/danyhosts, how does their GPU power comes into equation?


Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant