On Jan 5, 2012, at 6:34 PM, Johnny Hughes <johnny at centos.org> wrote: > On 01/05/2012 02:51 PM, Bennett Haselton wrote: >> On 1/5/2012 6:53 AM, Johnny Hughes wrote: >>> On 01/04/2012 07:47 PM, Bennett Haselton wrote: >>>> On 1/4/2012 1:59 PM, Lamar Owen wrote: >>>>> [Distilling to the core matter; everything else is peripheral.] >>>>> >>>>> On Jan 4, 2012, at 2:58 PM, Bennett Haselton wrote: >>>>>> To be absolutely clear: Do you, personally, believe there is more than a >>>>>> 1 in a million chance that the attacker who got into my machine, got it >>>>>> by brute-forcing the password? As opposed to, say, using an underground >>>>>> exploit? >>>>> Here's how I see it breaking down: >>>>> >>>>> 1.) Attacker uses apache remote exploit (or other means) to obtain >>>>> your /etc/shadow file (not a remote shell, just GET the file without >>>>> that fact being logged); >>>>> 2.) Attacker runs cloud-based (and/or CUDA accelerated) brute-forcer >>>>> on 10,000,000 machines against your /etc/shadow file without your >>>>> knowledge; >>>>> 3.) Some time passes; >>>>> 4.) Attacker obtains your password using distributed brute forcing of >>>>> the hash in the window of time prior to you resetting it; >>>>> 5.) Attacker logs in since you allow password login. You're pwned by >>>>> a non-login brute-force attack. >>>>> >>>>> In contrast, with ssh keys and no password logins allowed: >>>>> >>>>> 1.) Attacker obtains /etc/shadow and cracks your password after some >>>>> time; >>>>> 2.) Attacker additionally obtains /root/.ssh/* >>>>> 3.) Attacker now has your public key. Good for them; public keys >>>>> don't have to be kept secure since it is vastly more difficult to >>>>> reverse known plaintext, known ciphertext, and the public key into a >>>>> working private key than it is to brute-force the /etc/shadow hash >>>>> (part of the difficulty is getting all three required components to >>>>> successfully reverse your private key; the other part boils down to >>>>> factoring and hash brute-forcing); >>>>> 4.) Attacker also has root's public and private keys, if there is a >>>>> pair in root's ~/.ssh, which may or may not help them. If there's a >>>>> passphrase on the private key, it's quite difficult to obtain that >>>>> from the key; >>>>> 5.) Attacker can't leverage either your public key or root's key pair >>>>> (or the machine key; even if they can leverage that to do MitM (which >>>>> they can and likely will) that doesn't help them obtain your private >>>>> key for authentication; >>>>> 6.) Attacker still can't get in because you don't allow password >>>>> login, even though attacker has root's password. >>>>> >>>>> This only requires an apache httpd exploit that allows reading of any >>>>> file; no files have to be modified and no shells have to be acquired >>>>> through any exploits. Those make it faster, for sure; but even then >>>>> the attacker is going to acquire your /etc/shadow as one of the first >>>>> things they do; the next thing they're going to do is install a >>>>> rootkit with a backdoor password. >>>>> >>>>> Brute-forcing by hash-cracking, not by attempting to login over ssh, >>>>> is what I'm talking about. >>>> I acknowledged that the first time I replied to someone's post saying a >>>> 12-char password wasn't secure enough. I hypothesized an attacker with >>>> the fastest GPU-driven password cracker in the world (even allowing for >>>> 100-factor improvements in coming years) and it would still take >>>> centuries to break. I understand about brute-forcing the hash vs. >>>> brute-forcing the login, but some others had posted about brute-forcing >>>> the login specifically and I was commenting on how ridiculous that was. >>>> >>>>> This is what I mean when I say 'multilayer metasploit-driven attacks.' >>>>> >>>>> The weakest link is the security of /etc/shadow on the server for >>>>> password auth (unless you use a different auth method on your server, >>>>> like LDAP or other, but that just adds a layer, making the attacker >>>>> work harder to get that all-import password). Key based auth is >>>>> superior, since the attacker reading any file on your server cannot >>>>> compromise the security. >>>>> >>>>> Kerberos is better still. >>>>> >>>>> Now, the weakest link for key auth is the private key itself. But >>>>> it's better protected than any password is (if someone can swipe your >>>>> private key off of your workstation you have bigger problems, and they >>>>> will have your /etc/shadow for your workstation, and probably a >>>>> backdoor.....). The passphrase is also better protected than the >>>>> typical MD5 hash password, too. >>>>> >>>>> It is the consensus of the security community that key-based >>>>> authentication with strong private key passphrases is better than any >>>>> password-only authentication, and that consensus is based on facts >>>>> derived from evidence of actual break-ins. >>>> Well yes, on average, password-authentication is going to be worse >>>> because it includes people in the sample who are using passwords like >>>> "Patricia". Did they compare the break-in rate for systems with 12-char >>>> passwords vs. systems with keys? >>>> >>>> I have nothing in particular against ssh keys - how could anybody be >>>> "against ssh keys"? :) My point was that when I asked "How did >>>> attackers probably get in, given that the password was a random >>>> 12-character string?" people pounced on the fact that I was using a >>>> password at all, and kept insisting that that had a non-trivial >>>> likelihood of being the cause (rather than the >>>> less-than-one-in-a-billion it actually was), even to the point of making >>>> ridiculous statements like Mark saying that an attacker trying >>>> "thousands of times per hour" would get in "sooner or later". This was >>>> to the exclusion of what was vastly more likely to be the correct >>>> answer, which was "Apache, sshd, and CentOS have enough exploits that >>>> it's far more likely an attacker got in by finding one of those (and >>>> tools like SELinux help mitigate that)." >>>> >>>> Again, if I hadn't stood behind the math on the issue of long passwords >>>> vs. keys, I probably never would have gotten the answer that was >>>> actually useful. >>>> >>>> Do you think it's possible that people focused so much on the use of a >>>> "password" as a possible cause, vs. the existence of exploits, despite >>>> the former being literally about 1 billion times less probably than the >>>> latter, because the former puts more of the blame on the user? (Not >>>> that anyone is "to blame" that CentOS and Apache have bugs -- everything >>>> does -- but that password security would be an issue even with a perfect >>>> operating system.) >>>> >>>>> While login-based brute-forcing of a password that is long-enough >>>>> (based upon sshd/login/hashing speed) is impractical for passwords of >>>>> sufficient strength, login-based brute forcing is not the 'state of >>>>> the art' in brute-forcing of passwords. Key-based auth with a >>>>> passphrase is still not the ultimate, but it is better than only a >>>>> password, regardless of the strength of that password. >>>>> >>>>> If your password was brute-forced, it really doesn't matter how the >>>>> attacker did it; you're pwned either way. >>>>> >>>>> It is a safe assumption that there are httpd exploits in the wild, >>>>> that are not known by the apache project, that specifically attempt to >>>>> grab /etc/shadow and send to the attacker. It's also a safe >>>>> assumption that the attacker will have sufficient horsepower to crack >>>>> your password from /etc/shadow in a 'reasonable' timeframe for an MD5 >>>>> hash. >>>> Well I disagree that that's a "safe assumption". If you think that >>>> 12-character passwords are within striking distance, try 20-char >>>> passwords -- 1^36 possible values to search, so with a botnet of over 1 >>>> billion infected computers each checking 10 billion passwords per second >>>> (both orders of magnitude beyond what's in play today, and >>>> unrealistically assuming that every resource in the world is focused on >>>> this one password), it would take on the order of 10 billion years to crack. >>> Then we get back to rainbow tables and hashes that have been generated >>> by someone else (with super computer access) and published for "X" sized >>> passwords (you pick the size: 8,12,20,24,etc). Then they don't need to >>> calculate anything, just do a sql lookup against a database with what >>> they get from the shadow file. Someone else already cracked all "X" >>> size logins for all possible iterations. >> But if the system adds a salt to the password before taking the hash, >> then the size of the precomputed rainbow table grows exponentially, >> because it has to store the hash of all possible passwords to test, with >> all possible salts. If a 12-char random password (72 bits of >> randomness) is salted with a 32-bit salt you now have to precompute >> 10^31 values in your rainbow table instead of "only" 10^21. > > OK ... you continue to use passwords on your servers. I'll use keys and > require a vpn to access mine. Keys are definitely more secure then passwords, but a VPN is probably a step back as it provides a pseudo-layer2 gateway to your trusted network. I might use a key based authenticating reverse-proxy (client cert) that then allows one to ssh in and authenticate using a password. Basically authenticate to a landing page using a client cert, the proxy then adds your IP to a list of authenticated clients which opens the ssh port for that client. As long as your browser has the page open and the proxy re-authenticates every X minutes the ssh port remains open for the client. -Ross