Re: [ILUG] Security (Telnet vulnerability & Password cracking)

From: Paul Jakma (paulj at domain itg.ie)
Date: Thu 10 May 2001 - 17:55:45 IST

• Next message: cp at domain humanahom.com: "[ILUG] To win or to earn intelligence ?"
• Previous message: Padraig Brady: "Re: [ILUG] Nervous about Linux"
• In reply to:(deleted message) ajh: "Re: [ILUG] Security (Telnet vulnerability & Password cracking)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

On Thu, 10 May 2001, ajh wrote:

> value can be found. But brute force attacks like this are pretty
> expensive even when using the standard UNIX crypt() function.

not really... i used to run a password cracker in uni and it would
turn up accounts usually within 5 minutes.. that was on an SGI Indy
with something like a 100MHz R4k CPU. Pentium 133 found them even
quicker.

weak passwords will be cracked with no effort. the more users -> the
more weak passwords.

and crackers are very sophisticated. if i left it running long enough,
it'd start finding what people might think are tough passwords, eg:
3my5urAme.

> A lot of distros are also using other encryption methods like md5
> which is even more processor expensive to brute force.

they're not expensive to brute force. they're still vulnerable to
dictionary attacks.

> Having a policy/procedure of regular password changes will solve
> this.

no.. people will just rotate through a set of weak passwords. but they
can be useful to make sure dormant accounts can not be accessed.

Solution is check new passwords against a dictionary of words / words
with numerical substitions, as RH has done by default for a while.
(through pam_pwdb i think).

> > Presumably this doesn't matter if I use ssh?...
>
> Someone could in theory brute force logins using every possible
> combination, but there are always easier ways, especially in a college
> network of getting elevated access.

running a crack programme is something any fool can do... root
exploits generally take a bit more research at least.

i had access to the uni machines for many a month after i left, simply
because of crack - using the accounts it found. had i been in any way
clueful i would never have been found...

there's a hell of lot of clueless folks out there. and by regularly
running crack against your password file / NIS passwd.byname map you
can guard against at least a great number of these people.

If you're worried about people who do have a clue, then you should
keep your systems up to date.

- have a password changer that checks against a dictionary
- run crack regularly
- banish NIS if at all possible (eg use SSL LDAP)
- keep ahead of security bug fixes

--paulj

• Next message: cp at domain humanahom.com: "[ILUG] To win or to earn intelligence ?"
• Previous message: Padraig Brady: "Re: [ILUG] Nervous about Linux"
• In reply to:(deleted message) ajh: "Re: [ILUG] Security (Telnet vulnerability & Password cracking)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:10:16 GMT