Ah yeah, i actually tried john the ripper, but some of my users only
exist for a week or so, so its not exactly practical to run it every
time a new user is made. But i do run it from time to time anyways.
Most of my authentication on my system is done via pam. I was wondering
if there was a way to enforce stricter policys such locking IPs out for
a few hours at a time after 10 login failures in X amount of time or
something like that. I have a fairly limited understanding of PAM and
how to configure it and dont know if this feasible. Also I very vaguely
remember reading somewhere about automated IP blacklists of some sort: I
realize that this would only cover people with static IPs, but i was
thinking -- if they did exist -- somehow getting my firewall to use one
might be a step in the right direction.
Thanks for all the feedback,
Michael
Rob wrote:
On Wed, Sep 14, 2005 at 10:32:59AM -0400, Don Schmadel wrote:
Several months ago my machine was compromised through ssh by a system in
the Netherlands. They gained access through a user with an easy password
and then used "su" along with an enormous list of password combinations
to get root access. Finally they installed a "root kit" which caused my
machine to attempt to compromise others.
The only way to be safe is to:
1)carefully check your ssh config file to make sure that "admin",
"test",
and similar users do not have access
2)use long (more than 8 characters), very random passwords. "root kits
contain entire dictionaries which they use for sample passwords.
3)put any sensitive info on an encrypted partition and demount it
when you are not accessing it.
With "root kits" attacks can come from your nearest neighbor, so
blocking is of little use.
Something else that is useful is to regularly run John the Ripper
(http://www.openwall.com/john/) or similar on your password file to
make sure that users are picking good passwords. Having poor passwords
creates all kinds of problems (as I guess you found out ;-( ).
- Rob
.
