On Thu, 10 Feb 2005 10:51:33 -0600, Rich Adamson <[EMAIL PROTECTED]> wrote: > > I had the system setup to allow http and ssh. > > > > The hack came in through ssh. > > For those that aren't heavily involved with security topics, there > has been many different approachs from many different IP's attempting > to: > a) exploit known ssh holes, and, > b) ssh password guessing > > We tend to watch these attempts rather closely through intrusion detection > tools like snort. As consultants, we are also under retainers to > assist other companies with securing their facilities and watching > for exploits. The exploit attempts happen every single day. > > There are multiple password guessing tools commonly available on > the Internet. I eval'ed one of the tools and it took five seconds > to guess a password that was five characters in length. It took an > hour to guess a password that was eight characters, and around > twenty-four hours to guess a password that was eight characters made > up of uppercase, lowercase and non-alpha characters (eg, complex). > Regardless, the guessing process is simply how much time does one > want to devote to doing it (eg, what's the return value for spending > the time exploiting a system). > > It doesn't make much difference whether one exposes telnet or ssh. > Both can be exploited. But, the more complex you make the password, > the more time-consuming and difficult it is to guess it. > > So, if you must expose either telnet or ssh, make your passwords very > long and complex. If your O/S has the capability to lockout the account > after 'xx' failed passwords, then do that. Automatically resetting the > process after 'y' minutes disrupts the guessing process without the > hacker knowing it, but still allows you access after that auto reset. > Using something like seven failed attempts with a five minute reset > is more then adequate in most cases. > > > _______________________________________________ > Asterisk-Users mailing list > [email protected] > http://lists.digium.com/mailman/listinfo/asterisk-users > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >
I know that there are opinions in opposed to it, but what about port knocking in addition to everything we've discusses. Scanners would simply move along after seeing no open ports. I realize this is a form of security through obscurity, but it seems in some instances it would be a good *addition* to *other* security measures (never to be used as the sole security measure). Geoff -- I have some G-Mail invites. Let me know if you want one. _______________________________________________ Asterisk-Users mailing list [email protected] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
