> > > I had the system setup to allow http and ssh. > > > > > > The hack came in through ssh. > > > > For those that aren't heavily involved with security topics, there > > has been many different approachs from many different IP's attempting > > to: > > a) exploit known ssh holes, and, > > b) ssh password guessing > > > > We tend to watch these attempts rather closely through intrusion detection > > tools like snort. As consultants, we are also under retainers to > > assist other companies with securing their facilities and watching > > for exploits. The exploit attempts happen every single day. > > > > There are multiple password guessing tools commonly available on > > the Internet. I eval'ed one of the tools and it took five seconds > > to guess a password that was five characters in length. It took an > > hour to guess a password that was eight characters, and around > > twenty-four hours to guess a password that was eight characters made > > up of uppercase, lowercase and non-alpha characters (eg, complex). > > Regardless, the guessing process is simply how much time does one > > want to devote to doing it (eg, what's the return value for spending > > the time exploiting a system). > > > > It doesn't make much difference whether one exposes telnet or ssh. > > Both can be exploited. But, the more complex you make the password, > > the more time-consuming and difficult it is to guess it. > > > > So, if you must expose either telnet or ssh, make your passwords very > > long and complex. If your O/S has the capability to lockout the account > > after 'xx' failed passwords, then do that. Automatically resetting the > > process after 'y' minutes disrupts the guessing process without the > > hacker knowing it, but still allows you access after that auto reset. > > Using something like seven failed attempts with a five minute reset > > is more then adequate in most cases. > > > > I know that there are opinions in opposed to it, but what about port > knocking in addition to everything we've discusses. Scanners would > simply move along after seeing no open ports. I realize this is a > form of security through obscurity, but it seems in some instances it > would be a good *addition* to *other* security measures (never to be > used as the sole security measure).
I could certainly agree with that. _______________________________________________ Asterisk-Users mailing list [email protected] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
