LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] Security (Telnet vulnerability & Password cracking)

[ILUG] Security (Telnet vulnerability & Password cracking)

Paul Jakma paulj at itg.ie
Thu May 10 17:55:45 IST 2001 

On Thu, 10 May 2001, ajh wrote:

> value can be found. But brute force attacks like this are pretty
> expensive even when using the standard UNIX crypt() function.

not really... i used to run a password cracker in uni and it would
turn up accounts usually within 5 minutes.. that was on an SGI Indy
with something like a 100MHz R4k CPU. Pentium 133 found them even
quicker.

weak passwords will be cracked with no effort. the more users -> the
more weak passwords.

and crackers are very sophisticated. if i left it running long enough,
it'd start finding what people might think are tough passwords, eg:
3my5urAme.

> A lot of distros are also using other encryption methods like md5
> which is even more processor expensive to brute force.

they're not expensive to brute force. they're still vulnerable to
dictionary attacks.

> Having a policy/procedure of regular password changes will solve
> this.

no.. people will just rotate through a set of weak passwords. but they
can be useful to make sure dormant accounts can not be accessed.

Solution is check new passwords against a dictionary of words / words
with numerical substitions, as RH has done by default for a while.
(through pam_pwdb i think).

> > Presumably this doesn't matter if I use ssh?...
>
> Someone could in theory brute force logins using every possible
> combination, but there are always easier ways, especially in a college
> network of getting elevated access.

running a crack programme is something any fool can do... root
exploits generally take a bit more research at least.

i had access to the uni machines for many a month after i left, simply
because of crack - using the accounts it found. had i been in any way
clueful i would never have been found...

there's a hell of lot of clueless folks out there. and by regularly
running crack against your password file / NIS passwd.byname map you
can guard against at least a great number of these people.

If you're worried about people who do have a clue, then you should
keep your systems up to date.

- have a password changer that checks against a dictionary
- run crack regularly
- banish NIS if at all possible (eg use SSL LDAP)
- keep ahead of security bug fixes

--paulj

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell