On Thu, Jul 30, 2015 at 8:32 AM, Lamar Owen <lowen at pari.edu> wrote: >From a hacked Linux server which was brute-forced and > conscripted into being a slow bruteforcer node back in 2009 or so. ... > Better enforcement of password policy on that server would have prevented > the attack from succeeding and the machine becoming an attacker itself. In 2009, but I'm not sure how you can be this certain today if no other defense strategy is employed. The only way to be certain a server won't be attacked is if sshd is disabled, and essentially certain it won't be if PKA only is allowed, and practically certain with a 7 word passphrase. Less than this, it's a matter of the attacker and time (yes a six word passphrase will take a government entity and some time, but a four and even five word passphrase are already in the realm of botnets and targeted attackers' ability to crack).[1] "Pretty much anything that can be remembered can be cracked." –Schneier (although I think it's a bit of hyperbole, of course you can remember a 7 word passphrase, but probably not too many of them). [1] http://world.std.com/~reinhold/dicewarefaq.html#128-bit -- Chris Murphy