[CentOS] an actual hacked machine, in a preserved state

Bennett Haselton bennett at peacefire.org
Tue Jan 3 20:24:34 UTC 2012

On 1/3/2012 11:36 AM, Ljubomir Ljubojevic wrote:
> On 01/03/2012 04:47 PM, m.roth at 5-cent.us wrote:
>> Having been on vacation, I'm coming in very late in this....
>> Les Mikesell wrote:
>>> On Tue, Jan 3, 2012 at 4:28 AM, Bennett Haselton<bennett at peacefire.org>
>>> wrote:
>> <snip>
>>>> OK but those are *users* who have their own passwords that they have
>>>> chosen, presumably.  User-chosen passwords cannot be assumed to be
>>>> secure against a brute-force attack.  What I'm saying is that if you're
>>>> the only user, by my reasoning you don't need fail2ban if you just use a
>>>> 12-character truly random password.
>>> But you aren't exactly an authority when you are still guessing about
>>> the cause of your problem, are you?  (And haven't mentioned what your
>>> logs said about failed attempts leading up to the break in...).
>> Further, that's a ridiculous assumption. Without fail2ban, or something
>> like it, they'll keep trying. You, instead, Bennett, are presumably
>> generating that "truly random" password[1] and assigning it to all your
>> users[2], and not allowing them to change their passwords, and you will be
>> changing it occasionally and informing them of the change.[3]
>> Right?
>>           mark
>> 1. How will you generate "truly random"? Clicks on a Geiger counter? There
>> is no such thing as a random number generator.
>> 2. Which, being "truly random", they will write down somewhere, or store
>> it on a key, labelling the file "mypassword" or some such.
>> 3. How will you notify them of their new password - in plain text?
> Bennet was/is the only one using those systems, and only as root. No
> additional users existed prior to breach. And he is very persisting in
> placing his own opinion/belief above those he asks for help.
That there are 10^21 possible random 12-character alphanumeric passwords 
-- making it secure against brute-forcing -- is a fact, not an opinion.

To date, *nobody* on this thread has ever responded when I said that 
there are 10^21 possible such passwords and as such I don't think that 
the password can be brute-forced in that way.  Almost every time I said 
this, I added, "If you think this is incorrect, why do you think it's 
incorrect?", because I did genuinely want to know.  When people didn't 
reply, I thought maybe they hadn't realized before that I was using 
actually long, actually random passwords, and maybe they no longer 
thought that was insecure after all.

Again: Do you think I'm wrong that if you use a 12-character mixed-case 
alphanumeric password, then switching to sshkeys or using fail2ban will 
not make the system any more secure?  If you think I'm wrong, why?  What 
is the exact scenario that you think those would prevent?

> That is why
> we have such a long long long thread. It came to the point where I am
> starting to believe him being a troll. Not sure yet, but it is getting
> there.

The thread grew so long partly because few people were offering 
suggestions on *preventive* measures (mostly on what to do differently 
next time to diagnose after the fact -- which was fine and useful, but I 
kept trying to steer the discussion back to preventive measures), and 
the two preventive measures that did come up the most, were using ssh 
keys and using fail2ban to stop people brute-forcing the login, and I 
kept explaining why I did not think that would make me any safer the 
next time around.

Note that after over 100 messages had been posted on the subject, 
someone did mention SELinux and the specific scenario (which has come up 
in the real world) in which SELinux can stop a break-in (exploit is 
found where attacker takes control of Apache, Apache writes to /tmp dir 
and tries to execute a program there).

If I had accepted the "advice" offered at the beginning to use keys 
instead of passwords, the discussion might have never gotten past that.  
It was because I stood my ground that brute-forcing a 12-character 
random password was not logically possible, that the discussion 
eventually turned to something which *might* at least reduce the chance 
of a future break-in.

> I am writing this for your sake, not his. I decided to just watch from
> no on. This thread WAS very informative, I did lear A LOT, but enough is
> enough, and I spent far to much time reading this thread.

More information about the CentOS mailing list