On Sat, Dec 31, 2011 at 1:50 PM, Alex Milojkovic <centos at businessforce.ca> wrote: > > Ok let me rephrase myself. > How many people have had their passwords cracked on Internet servers by means available to them? > In other words gained root access by way of a TCP service. Someone cracked my gmail password and sent what seemed like an oddly small amount of spam from it. > These articles are based on theoretical math and scenarios that are not common. > They are saying one billion passwords per second > How many servers can handle a million requests per second without DOS, I'd like to have one :) If you have a server with port 22 open to the internet you can get an idea of what is going on by looking at your logs. Unless you are a high-profile site you probably won't see millions of attempts, but you will see dozens or hundreds a day, coming from many different sources. They seem to be at least loosely coordinated and are probably spreading the attempts widely. If your machine happens to be the one where they get a match from the random probabilities, it likely gets added into the set doing more attempts. > Everything else is more or less social engineering in my opinion and shouldn't focus on passwords. In that case no authentication mechanism will be enough, we are just fooling ourselves. Targeted cracking may involve social engineering, but I'd bet that much, much more of the random hacking involves software vulnerabilities, both before and after they are published. Again, if you look at the logs of what hits port 80 you'll see the probes for things that might permit arbitrary code execution. Unless one of those succeeds, you won't see the followup - but if it does, the attacker will then attempt to execute local 'root escalation' vulnerabilities like the one fixed not too long ago in glibc that let anyone who could create a symlink become root. > Hopefully sometime soon, perimeter routers will be like border checkpoints. > I like you, you get in. > I don't like you, you stay out. That doesn't work for web services open to the public. You need firewalls that can work at wire speed filtering the inbound URLs for known attack patterns, plus of course, updating the software as quickly as possible to fix the vulnerabilities. -- Les Mikesell lesmikesell at gmail.com