Re: See what a weak password will get ya?
Greg Folkert wrote: Apparently, the best is to replace crypt based passwords with RSA based, and use longer passwords. Actually, best actual reasonable password is: to not use one I've noticed that using Debian without a root password requires some work. I'm comfortable in _my_ circumstances that anyone with physical access owns it anyway. Requiring a root password to get to single-user is a minor incovenience with several easy ways round it. Worse, if a filesystemcheck fails and drops you to single-user mode and you don't have a root passwd then you're stuffed. -- Cheers John -- spambait [EMAIL PROTECTED] [EMAIL PROTECTED] Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: See what a weak password will get ya?
On Thu, 22 Jul 2004 17:42:53 -0500, Paul Stolp [EMAIL PROTECTED] wrote: ./t ./h2 rm -rf h2 k;./brk Has anyone grabbed these and checked to see whats inside them? -- Jon Dowland [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cracking - Re: See what a weak password will get ya?
On Thu, 22 Jul 2004, s. keeling wrote: Incoming from Alvin Oga: - and hopefully, they don't have the passwd file from /etc/shadow to compare against Agreed. Once they're in, all bets are off. best to assume they are already in and sniffing .. 24x7 and work knowing they can pick up info from their hidden special directory - if you write a single a into /tmp/a.txt the other 511 bytes is available for a secret filesystem ( lots of unused disk space available for hiding ( that regular tools will never find these constantly changing ( hidden files Why bother to crack if you can sniff? but they and anybody can sniff ??? and yes ... 10x easier to sniff and maybe even get lucky and get the passwd to all their machines at work too - sniff your boxes at the colo ... ( lots of wrong masks being set, to be able to sniff other ( machines - sorta illegal to sniff ?? - sniff the wireless connection ... 1/2 the wireless network is not encrypted, so hopefyully, they are least using ssh for all data transfers ( good for tricking a few people to hang around longer ( to see what they're sniffing on an unencrypted wep traffic - kimet + ethereal .. see your neighbor's data c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: See what a weak password will get ya?
on Thu, Jul 22, 2004 at 07:24:01PM -0700, Scarletdown ([EMAIL PROTECTED]) wrote: Paul Stolp wrote: I checked in on some bittorrent progress today at lunch, noticed my I'm not sure the July 19 log snippet is related, but seems likely. Anyways, I've re-downloaded the files the attacker used and removed (for posterity.) I changed all passwords, IP Address, I found the evidence at about 12:24. Just wanted to share the need for strong passwords. I second that recommendation. I always prefer to have passwords with the following features: Minimum of 8 characters At least 1 capital letter At least 1 lower case letter At least 1 number At least 1 special character An example of a good password (though since I'm posting it here, it can no longer be considered good) is: [EMAIL PROTECTED] My own preference is the 'pwgen' and 'gpw' utilities included in Debian, combined with either the PalmOS Keyring utility or the vim editing encrypted files transparently hack documented at: http://twiki.iwethey.org/Main/IwtNix Sample pwgen output: Eive3viequ oos5eigooV aeR0ahwein ooNigh1oos Jui6hailel oMaex1ohve xah8shoJai Ahnaotach9 Paiphie9ph pah8ahcaeG Uapahph6ik taiYolu4os aiHahp7jae usheXeec7a Ucei9joong Eteefa6aeg Eethohqu2i neiBaeg4ai Eiri7eagee Pahceibie8 Yeg0iediev eigiji6Gie Ouduo7pahs ya1weuNapo And for gpw: ulingain atailsel stedamen misavisi gasseder uarscroc rismener rectivac icadoura ishoonce What may not be immediately apparent is that the generated passwords are pronounceable in a rough sort of a way. The generation algorithms are tunable to greater randomnes or mnemonic qualities. It's possible to test quality by generating a known number of passwords, sorting and generating a uniq list, and counting the resulting lines. My findings are that even the relatively mnemonic lists are of very high quality. Best tests are on 1m or more paswords, but for a relatively short run of 100,000: $ time gpw 10 10 | sort | uniq | wc -l 99952 real0m9.968s user0m9.730s sys 0m0.050s $ time pwgen 10 10 | sort | uniq | wc -l 99960 real1m1.252s user0m13.550s sys 0m45.360s That's 99.952% and 99.960% uniq, respectively, default settings, ten-character keys. The observent reader will note that the length and count arguments are reversed for these utilities Remember this as you use them. For an adult user population, I find that these keys are usually pretty acceptable. Working with children, I'm using longer keys by combining a set of things. Favorites is a good one, and typical keys run 10-15 characters. Cryptanalysts will tell you that sticking to dictionary words reduces the search space markedly, but in balance, it's a good compromise. With a user-base extending into the hundreds, only a handful of the youngest routinely have problems logging in, and I know the keys are not likely used elsewhere. Druthers? I'd echo Greg Folkert's recommendations for key-based authentication, and use a fob-based password generator plus a PIN. Something randomly generated, something you have, something you know. Playing percentages, that's a pretty decent system. Biometrics? The shortage of replacement keys, and perverse incentives to key aquisition (and resultant discomfort) makes me *exceptionally* wary. Color me dubious (and leave me my digits and irises). Peace. -- Karsten M. Self [EMAIL PROTECTED]http://linuxmafia.com/~karsten Ceterum censeo, Caldera delenda est. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: See what a weak password will get ya?
Quoting s. keeling [EMAIL PROTECTED]: Incoming from Scarletdown: An example of a good password (though since I'm posting it here, it can no longer be considered good) is: [EMAIL PROTECTED] I disagree. A cracking program is going to attempt to match permutations of dictionary words. This will not add much more time to reach the solution. Better is concatenation of two strings that won't match a dictionary pattern: b1rDW0rm What also makes pretty good passwords is shifting your hands around on the keyboard. Take a simple to remember password (long enough) and then when typing on the keyboard, don't press the key you need but the on below it to the right (for example). slartibartfast becomes: x.zfgl zfgvzxg Letters to the right of the keyboard is best since they yield plenty of '\]\'/// stuff :) Also using shift every other letter or such is good. Be creative and combine different techniques instead of depending on one. A friend of mine once was complaining that he couldn't think of a decent password, so I made him this one: [EMAIL PROTECTED] Straight for the ass! (he's a dirty mind) Passwords are fun ;) joost DISCLAIMER This e-mail and any attached files are confidential and may be legally privileged. If you are not the addressee, any disclosure, reproduction, copying, distribution, or other dissemination or use of this communication is strictly prohibited. If you have received this transmission in error please notify A.S.T.R.I.D. nv/sa immediately and then delete this e-mail. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: See what a weak password will get ya?
on Thu, Jul 22, 2004 at 11:02:11PM -0700, Karsten M. Self ([EMAIL PROTECTED]) wrote:
on Thu, Jul 22, 2004 at 07:24:01PM -0700, Scarletdown ([EMAIL PROTECTED]) wrote:
Paul Stolp wrote:
I second that recommendation. I always prefer to have passwords with
the following features:
Minimum of 8 characters
My own preference is the 'pwgen' and 'gpw' utilities included in Debian,
combined with either the PalmOS Keyring utility or the vim editing
encrypted files transparently hack documented at:
...incidentally, this reminded me that I had to do some locking down of
systems here. I'd managed to goof a Samba config so that the, um,
trivial Linux system password I'd entered at account creation time
wasn't replaced by the Samba password.
I *knew* I had a number of accounts (several score) to fix. But didn't
know quite which.
Installed 'john' and copied the shadow file to another system. Found
the accounts in less than five minutes.
'chpasswd' is another slick utility. Feed it a list of accounts and
passwords (hashed or plaintext) in the form:
user:password
...and it will update in bulk.
To create that file, I simply ran straight from the 'john' output:
for u in $( awk '{gsub([()], , $2); print $2 }' john.out )
do
echo $u:$( pwgen 20 1 )
done | chpasswd
...which generates a set of 20 character random keys even I don't know.
When the users want access to that system, I'll reset their passwords...
...unless they done been misbehavin', in which case I'll have 'em guess
for a while first ;-)
Peace.
--
Karsten M. Self [EMAIL PROTECTED]http://linuxmafia.com/~karsten
Ceterum censeo, Caldera delenda est.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: See what a weak password will get ya?
On Fri, 23 Jul 2004 00:04:53 -0400
charlie derr [EMAIL PROTECTED] wrote:
Paul Stolp wrote:
* dircha [EMAIL PROTECTED] [2004-07-22 21:48]:
Scarletdown wrote:
| == K
== X
| == P
Anyone else care to add to this little list?
0 == O
$ == S
|-| == H
|_| == U
|_ == L
\/\/ == W
/\/\ == M
|V| == M
|\| == N
|-o-| == tie fighter
{-o-} == tie interceptor
Good plan, I need to improve my ascii art collection.
^ = V or n //well, sort of :-0
! = i
4 = A
= G
3 = E
5 = S
+ = T
i suppose now i ought to look at the rest of the thread too (i didn't
notice where it started)
~c
d|-_-|b - stands for DJ
it looks like here we began an IRC chat;]
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: See what a weak password will get ya?
On Thu, Jul 22, 2004 at 07:24:01PM -0700, Scarletdown wrote: I second that recommendation. I always prefer to have passwords with the following features: Minimum of 8 characters At least 1 capital letter At least 1 lower case letter At least 1 number At least 1 special character Except that in an ideal world where everyone uses random passwords, this kind of restrictions actually makes the password easier to guess. Frank -- Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it. - Brian W. Kernighan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: See what a weak password will get ya?
Frank Gevaerts [EMAIL PROTECTED] said on Fri, 23 Jul 2004 10:44:34 +0200: On Thu, Jul 22, 2004 at 07:24:01PM -0700, Scarletdown wrote: I second that recommendation. I always prefer to have passwords with the following features: Minimum of 8 characters At least 1 capital letter At least 1 lower case letter At least 1 number At least 1 special character Except that in an ideal world where everyone uses random passwords, this kind of restrictions actually makes the password easier to guess. That's precicely what I was thinking. For each character range of size N that you *must* choose, you diminish the keyspace by a factor of N/256. So, if you must have a capital letter, there goes a factor of 26/256 ~ 1/10. If you must have a capital letter or a number, then that's now 36/256. If you must have an underscore, then you lose a factor of 256. Whoa! Of course, the 256 in all of the above should really be quite a lot less (maybe 26+10+10 or so special chars?) because most people don't enter high ascii and control characters into their passwords - maybe they should :) -- TimC -- http://astronomy.swin.edu.au/staff/tconnors/ Chairman: I'm glad to see so many bright-eyed and bushy-tailed people here at this time of the morning. From the audience: Actually, most of us are rabid. -- From an astro talk -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: See what a weak password will get ya?
* Monique Y. Mudama [EMAIL PROTECTED] [2004-07-23 00:04]: I'd add the suggestion to not use obvious usernames like guest ... agree -- I will prob. replace this account name Btw, are you 100% sure they never managed to root you and replace some of your files? I wasn't 100% sure I wasn't cracked when I installed, but I am sure that my core utilities are the same as before this attempt. This and clean chkrootkit are enough for me, as long as I continue to watch what's going on. Thanks everyone, mostly I was just venting, but hopefully this will help prompt anyone who knows of a potential system weakness. Paul -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: See what a weak password will get ya?
Hi, I haven't caught the start of this thread, but how can you be sure your core utilities have not been altered? Do have a record of how they looked before the crack (a backup, MD5 sums etc, AIDE,Tripwire database)?. IMO, you would really need to examine those binaries on another box against a known equivalent clean copy or backup/AIDE/Tripwire database before really being sure. Awais On Fri, 2004-07-23 at 12:23, Paul Stolp wrote: * Monique Y. Mudama [EMAIL PROTECTED] [2004-07-23 00:04]: I'd add the suggestion to not use obvious usernames like guest ... agree -- I will prob. replace this account name Btw, are you 100% sure they never managed to root you and replace some of your files? I wasn't 100% sure I wasn't cracked when I installed, but I am sure that my core utilities are the same as before this attempt. This and clean chkrootkit are enough for me, as long as I continue to watch what's going on. Thanks everyone, mostly I was just venting, but hopefully this will help prompt anyone who knows of a potential system weakness. Paul -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: See what a weak password will get ya?
On Thursday 22 July 2004 17:42, Paul Stolp wrote: See what a weak password will get ya? No. I do, however, see what allowing password logins to an SSH server will get you. I could set my password to foo and you still aren't getting in without my RSA key (or Kerberos ticket). Oh, and disable root logins while you're at it if you haven't already. -- Kirk Strauser pgpO1AqXYGwe2.pgp Description: signature
Re: See what a weak password will get ya?
Paul Stolp wrote: I checked in on some bittorrent progress today at lunch, noticed my I'm not sure the July 19 log snippet is related, but seems likely. Anyways, I've re-downloaded the files the attacker used and removed (for posterity.) I changed all passwords, IP Address, I found the evidence at about 12:24. Just wanted to share the need for strong passwords. I second that recommendation. I always prefer to have passwords with the following features: Minimum of 8 characters At least 1 capital letter At least 1 lower case letter At least 1 number At least 1 special character An example of a good password (though since I'm posting it here, it can no longer be considered good) is: [EMAIL PROTECTED] Meets all the above specifications, plus is readable. Combining special characters to make letters also helps. Though at the moment, I can only think of 3 combinations... | == K == X | == P Anyone else care to add to this little list? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: See what a weak password will get ya?
Scarletdown wrote:
| == K
== X
| == P
Anyone else care to add to this little list?
0 == O
$ == S
|-| == H
|_| == U
|_ == L
\/\/ == W
/\/\ == M
|V| == M
|\| == N
|-o-| == tie fighter
{-o-} == tie interceptor
8~~
?
8-)
...
!
--dircha
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
OT: Re: See what a weak password will get ya?
Incoming from Paul Stolp: I checked in on some bittorrent progress today at lunch, noticed my process monitor showing full activity. Ran top, saw user guest logged on, running 4 instances of a program named t, and short term load average over 4. AAGGGHHH! shutdown -h now ! pull network cable reboot look for damage, whew, I was O.K. -- I'm sure it helps to be up to date ... How did you manage to verify that? Are you running chkrootkit? tripwire? Something else? (0) keeling /home/keeling_ host smenlove.home.ro smenlove.home.roA 81.196.20.133 (0) keeling /home/keeling_ ripe 81.196.20.133 inetnum: 81.196.20.128 - 81.196.20.159 netname: RO-RDS-HOME-RO descr:Home.RO / Go.RO country: RO admin-c: HAD6-RIPE tech-c: HAD6-RIPE status: ASSIGNED PA remarks: INFRA-AW remarks: +---+ remarks: | ABUSE CONTACT: [EMAIL PROTECTED] IN CASE OF HACK ATTACKS, | remarks: | ILLEGAL ACTIVITY, VIOLATION, SCANS, PROBES, SPAM, ETC.| remarks: +---+ ... (0) keeling /home/keeling_ ripe 131.234.157.10 inetnum: 131.234.0.0 - 131.234.255.255 netname: UNIPADERBORN descr:Universitaet Paderborn country: DE ... (0) keeling /home/keeling_ host 80.110.102.105 Name: chello080110102105.508.15.vie.surfer.at Address: 80.110.102.105 (0) keeling /home/keeling_ ripe 80.110.102.105 inetnum: 80.110.48.0 - 80.110.118.255 netname: VIE-15-CUSTOMER-LANCITY descr:chello Austria descr:Lancity Customers in Vienna, Headend 15 country: AT admin-c: HMCB1-RIPE tech-c: HMCB1-RIPE status: ASSIGNED PA remarks: Contact [EMAIL PROTECTED] concerning criminal remarks: activities like spam, hacks, portscans Jul 22 10:24:39 greta sshd[22405]: Accepted password for guest from 156.17.99.11 port 37228 ssh2 Jul 22 10:24:39 greta sshd[22407]: (pam_unix) session opened for user guest by ( uid=0) ...^ Jul 22 12:09:33 greta sshd[22595]: Accepted password for guest from 80.110.102.105 port 3938 ssh2 Jul 22 12:09:33 greta sshd[22597]: (pam_unix) session opened for user guest by (uid=0) Jul 22 12:12:45 greta passwd[22663]: (pam_unix) authentication failure; logname=guest uid=1002 euid=0 tty= ruser= .^^ Just wanted to share the need for strong passwords. Not to mention backups and fresh installation media? -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: See what a weak password will get ya?
Incoming from Scarletdown: An example of a good password (though since I'm posting it here, it can no longer be considered good) is: [EMAIL PROTECTED] I disagree. A cracking program is going to attempt to match permutations of dictionary words. This will not add much more time to reach the solution. Better is concatenation of two strings that won't match a dictionary pattern: b1rDW0rm | == K == X | == P Anyone else care to add to this little list? Hadn't thought of those. Cute. Apparently, the best is to replace crypt based passwords with RSA based, and use longer passwords. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: See what a weak password will get ya?
On Thu, 22 Jul 2004 17:42:53 -0500 Paul Stolp [EMAIL PROTECTED] wrote: I checked in on some bittorrent progress today at lunch, noticed my process monitor showing full activity. Ran top, saw user guest logged on, running 4 instances of a program named t, and short term load average over 4. AAGGGHHH! shutdown -h now ! Believe it or not, this is often a bad idea. It's often easier to determine the scope of a compromise by watching the intrude for a little while than to attempt to find out afterwards with forensics. pull network cable reboot look for damage, whew, I was O.K. How did you determine this? -c -- Chris Metzler [EMAIL PROTECTED] (remove snip-me. to email) As a child I understood how to give; I have forgotten this grace since I have become civilized. - Chief Luther Standing Bear pgpQjMBW1NFKJ.pgp Description: PGP signature
Re: See what a weak password will get ya?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On July 22, 2004 10:59 pm, s. keeling wrote: Incoming from Scarletdown: An example of a good password (though since I'm posting it here, it can no longer be considered good) is: [EMAIL PROTECTED] I disagree. A cracking program is going to attempt to match permutations of dictionary words. This will not add much more time to reach the solution. Better is concatenation of two strings that won't match a dictionary pattern: b1rDW0rm I'm pretty sure dictionary attack also look for this. (?) Use other characters that will make the word absolutely not dictionar- related x[([EMAIL PROTECTED])~(w0rD)]x Still as easy to remember (longer to type though) | == K | == X | == P Anyone else care to add to this little list? Hadn't thought of those. Cute. Apparently, the best is to replace crypt based passwords with RSA based, and use longer passwords. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - - -- Mathieu Ducharme [EMAIL PROTECTED] Use GPG to avoid spam trap -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBAIcingfWgVs5hW0RAj20AKDJrhzVJg6isKeIAia/iEaGC3NeHQCgpBkf Yh5JlhDFcg1fCEBwrpaKmvY= =+Wfi -END PGP SIGNATURE-
Re: See what a weak password will get ya?
Incoming from Mathieu Ducharme: On July 22, 2004 10:59 pm, s. keeling wrote: Incoming from Scarletdown: An example of a good password (though since I'm posting it here, it can no longer be considered good) is: [EMAIL PROTECTED] I disagree. A cracking program is going to attempt to match permutations of dictionary words. This will not add much more time to b1rDW0rm I'm pretty sure dictionary attack also look for this. (?) It was just an example. I sprinkle liberally with punctuation. :-) Use other characters that will make the word absolutely not dictionary related x[([EMAIL PROTECTED])~(w0rD)]x However, if you haven't moved to RSA based longer passwords, that's effectively x[([EMAIL PROTECTED]) (which isn't bad, but you may be typing more than is recognized). Stock passwords are eight chars. The rest are ignored. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: See what a weak password will get ya?
* dircha [EMAIL PROTECTED] [2004-07-22 21:48]:
Scarletdown wrote:
| == K
== X
| == P
Anyone else care to add to this little list?
0 == O
$ == S
|-| == H
|_| == U
|_ == L
\/\/ == W
/\/\ == M
|V| == M
|\| == N
|-o-| == tie fighter
{-o-} == tie interceptor
Good plan, I need to improve my ascii art collection.
--
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: Re: See what a weak password will get ya?
* s. keeling [EMAIL PROTECTED] [2004-07-22 22:03]: Incoming from Paul Stolp: I checked in on some bittorrent progress today at lunch, noticed my process monitor showing full activity. Ran top, saw user guest logged on, running 4 instances of a program named t, and short term load average over 4. AAGGGHHH! shutdown -h now ! pull network cable reboot look for damage, whew, I was O.K. -- I'm sure it helps to be up to date ... How did you manage to verify that? Are you running chkrootkit? tripwire? Something else? chkrootkit, plus verification of md5sums of certain binaries. (0) keeling /home/keeling_ host smenlove.home.ro smenlove.home.roA 81.196.20.133 (0) keeling /home/keeling_ ripe 81.196.20.133 inetnum: 81.196.20.128 - 81.196.20.159 netname: RO-RDS-HOME-RO descr:Home.RO / Go.RO country: RO admin-c: HAD6-RIPE tech-c: HAD6-RIPE status: ASSIGNED PA remarks: INFRA-AW remarks: +---+ remarks: | ABUSE CONTACT: [EMAIL PROTECTED] IN CASE OF HACK ATTACKS, | remarks: | ILLEGAL ACTIVITY, VIOLATION, SCANS, PROBES, SPAM, ETC.| remarks: +---+ ... Reported. Jul 22 10:24:39 greta sshd[22405]: Accepted password for guest from 156.17.99.11 port 37228 ssh2 Jul 22 10:24:39 greta sshd[22407]: (pam_unix) session opened for user guest by ( uid=0) ...^ maybe I'm missing something, but isn't that how sshd works? That's what I get logging in from my usual account... Jul 22 12:09:33 greta sshd[22595]: Accepted password for guest from 80.110.102.105 port 3938 ssh2 Jul 22 12:09:33 greta sshd[22597]: (pam_unix) session opened for user guest by (uid=0) Jul 22 12:12:45 greta passwd[22663]: (pam_unix) authentication failure; ^^^ logname=guest uid=1002 euid=0 tty= ruser= .^^ Just wanted to share the need for strong passwords. Not to mention backups and fresh installation media? You better believe it! -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: See what a weak password will get ya?
* Chris Metzler [EMAIL PROTECTED] [2004-07-22 22:18]: On Thu, 22 Jul 2004 17:42:53 -0500 Paul Stolp [EMAIL PROTECTED] wrote: shutdown -h now ! Believe it or not, this is often a bad idea. It's often easier to determine the scope of a compromise by watching the intrude for a little while than to attempt to find out afterwards with forensics. I thought this afterwards, but it appears the attacker went away empty handed anyways. He was already logged out when I noticed the high load. He tried to kill the t program, but couldn't. I suspect he was somewhat inept (as was I with the pathetic password I assigned to the guest account!) in reviewing the logs and bash history, it becomes fairly easy to piece together. I will definitely consider your advice when I'm in this situation again. look for damage, whew, I was O.K. How did you determine this? chkrootkit and, more satisfying to me, md5sums of some key binaries. Thanks, Paul -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: See what a weak password will get ya?
Paul Stolp wrote:
* dircha [EMAIL PROTECTED] [2004-07-22 21:48]:
Scarletdown wrote:
| == K
== X
| == P
Anyone else care to add to this little list?
0 == O
$ == S
|-| == H
|_| == U
|_ == L
\/\/ == W
/\/\ == M
|V| == M
|\| == N
|-o-| == tie fighter
{-o-} == tie interceptor
Good plan, I need to improve my ascii art collection.
^ = V or n //well, sort of :-0
! = i
4 = A
= G
3 = E
5 = S
+ = T
i suppose now i ought to look at the rest of the thread too (i didn't
notice where it started)
~c
signature.asc
Description: OpenPGP digital signature
Re: OT: Re: See what a weak password will get ya?
Incoming from Paul Stolp: * s. keeling [EMAIL PROTECTED] [2004-07-22 22:03]: Incoming from Paul Stolp: look for damage, whew, I was O.K. -- I'm sure it helps to be up to date ... How did you manage to verify that? Are you running chkrootkit? tripwire? Something else? chkrootkit, plus verification of md5sums of certain binaries. Good luck. You're drivin'. Me? I'd at least take it off-line and burn a CD. Then you can have something to compare it to if anything starts to look wonky in the future. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: See what a weak password will get ya?
On Thu, 2004-07-22 at 22:59, s. keeling wrote: Incoming from Scarletdown: An example of a good password (though since I'm posting it here, it can no longer be considered good) is: [EMAIL PROTECTED] I disagree. A cracking program is going to attempt to match permutations of dictionary words. This will not add much more time to reach the solution. Better is concatenation of two strings that won't match a dictionary pattern: b1rDW0rm | == K == X | == P Anyone else care to add to this little list? Hadn't thought of those. Cute. Apparently, the best is to replace crypt based passwords with RSA based, and use longer passwords. Actually, best actual reasonable password is: to not use one Use key-based authentication. Personally, I use 2048bit keys for machine that are considered core/valuable. Play machines... only get 1024bit. I have a master private key, with everything being generated as subkeys from that. Yeap, the passphrase for it is actually purty darn long. It is one of those things you hate to type in. I really think about how long it is, it just flows from the hands. Now come to think of it... at least 25 characters long. Key authentication is by far much more secure than a regular password. Best part is, you can make it so you only have to type your pass phrase ONCE! -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux signature.asc Description: This is a digitally signed message part
Re: See what a weak password will get ya?
On 2004-07-22, Paul Stolp penned: Anyways, I've re-downloaded the files the attacker used and removed (for posterity.) I changed all passwords, IP Address, I found the evidence at about 12:24. Just wanted to share the need for strong passwords. I'd add the suggestion to not use obvious usernames like guest ... Btw, are you 100% sure they never managed to root you and replace some of your files? -- monique -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: See what a weak password will get ya?
Mathieu Ducharme [EMAIL PROTECTED] said on Thu, 22 Jul 2004 23:33:48 -0400: I'm pretty sure dictionary attack also look for this. (?) Use other characters that will make the word absolutely not dictionar- related x[([EMAIL PROTECTED])~(w0rD)]x Still as easy to remember (longer to type though) I don't rememeber my password, my fingers do. Which means, that when you come off a plane with your BIOS passwd protected laptop that you had been using fine for quite some time on the plane and at the airport, and you develop a massive headache, then the headache goes away, and you plug in, and try to remember your password, because your fingers are getting it wrong, well, no good happens. So you try to log in to your home institution, thinking that maybe the BIOS absorbed a few too many cosmic rays, and start panicking, because none of the passwords you have used in the past 5 years works. Eventually, let the pain in your head subside, and find out that that headache simply caused your brain to forget that you changed passwords about a month back, and somehow your fingers aren't remembering for the time being :) -- TimC -- http://astronomy.swin.edu.au/staff/tconnors/ Does bacteria culture in coffee cup qualify as pet? Have already givink it name. -- Pitr Dubovich/User Friendly -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
cracking - Re: See what a weak password will get ya?
On Thu, 22 Jul 2004, s. keeling wrote: I disagree. A cracking program is going to attempt to match permutations of dictionary words. This will not add much more time to ... how fast can a cracking system go thru dictionary words that are mispelled with various digits and special char - changing o to 0 ( and equivalents ) wont slow down the crackers - brute force cracking will take 60**8 permutations (1.7x10**14) :-) ( a-z A-Z 0-9 30special chars ) - a small number of permutations by math standards - but NOT all character positions will be special random characters which than simplifies the possible permutations if you can think of these modified passwd, a good cracking program should already be checking for it too :-) -- a trick question ... how does the cracker know that they hit the right passwd ?? - they cant be logging into your box for each try - your box should be denying remote access after 3-5 failed login attempts - and hopefully, they don't have the passwd file from /etc/shadow to compare against However, if you haven't moved to RSA based longer passwords, that's effectively x[([EMAIL PROTECTED]) (which isn't bad, but you may be typing more than is recognized). Stock passwords are eight chars. The rest are ignored. it seem like some systems uses more than 8char pwd and others ignore the balance .. c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cracking - Re: See what a weak password will get ya?
Incoming from Alvin Oga: - and hopefully, they don't have the passwd file from /etc/shadow to compare against Agreed. Once they're in, all bets are off. Why bother to crack if you can sniff? -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
