[CentOS] Fedora change that will probably affect RHEL

Thu Jul 30 16:17:04 UTC 2015
Chris Murphy <lists at colorremedies.com>

On Thu, Jul 30, 2015 at 8:32 AM, Lamar Owen <lowen at pari.edu> wrote:
>From a hacked Linux server which was brute-forced and
> conscripted into being a slow bruteforcer node back in 2009 or so.
...

> Better enforcement of password policy on that server would have prevented
> the attack from succeeding and the machine becoming an attacker itself.

In 2009, but I'm not sure how you can be this certain today if no
other defense strategy is employed. The only way to be certain a
server won't be attacked is if sshd is disabled, and essentially
certain it won't be if PKA only is allowed, and practically certain
with a 7 word passphrase. Less than this, it's a matter of the
attacker and time (yes a six word passphrase will take a government
entity and some time, but a four and even five word passphrase are
already in the realm of botnets and targeted attackers' ability to
crack).[1]

"Pretty much anything that can be remembered can be cracked."
–Schneier (although I think it's a bit of hyperbole, of course you can
remember a 7 word passphrase, but probably not too many of them).


[1]
http://world.std.com/~reinhold/dicewarefaq.html#128-bit

-- 
Chris Murphy