[CentOS] what percent of time are there unpatched exploits against default config?

Sat Dec 31 16:58:23 UTC 2011
Ljubomir Ljubojevic <office at plnet.rs>

On 12/31/2011 03:13 PM, Johnny Hughes wrote:
> On 12/30/2011 11:02 PM, Alex Milojkovic wrote:
>> I think the best password policy is the one you've never told anyone and never posted on a public mailing list.
>>
>> How many of you out there know of cases where administrators' passwords were compromised by brute force?
>> Can we take a count of that?
>
> I know of plenty ... people contact security at centos.org all the time
> after having their machines compromised by brute force.
>
> Here are a couple of articles for you to read:
>
> http://www.gtri.gatech.edu/casestudy/Teraflop-Troubles-Power-Graphics-Processing-Units-GPUs-Password-Security-System
>
> http://www.pcpro.co.uk/blogs/2011/06/01/how-a-cheap-graphics-card-could-crack-your-password-in-under-a-second/
>
>>
>> I believe in passwords. I don't believe in PKI.
>> It's a lot more likely that I will forget my laptop somewhere, or that someone will steal my usb key than that someone will guess my password and have opportunities to try it.
>> PKI is convenience and if your password is 20-30 characters it will take long time to break it.
>>
>> Password crack estimator
>> http://www.mandylionlabs.com/documents/BFTCalc.xls
>>
>> Spreadsheet is safe (take my word for it) ha,ha
>>
>> Scenario of botnet with 1000 PCs making attempts to crack are password ain't gonna happen.
>
> You don't need a botnet of 1000 PCs ... you only need a couple of
> graphics cards.
>

Can you please explain how this is possible by attacking linux via ssh 
brute force. I fail to see it. If attacks are throttled via ssh config 
and fail2ban/danyhosts, how does their GPU power comes into equation?


-- 

Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant