[sf-lug] how to whack crackers

jim jim at well.com
Mon Jan 5 16:07:20 PST 2009 


   i've taken "joe account" to mean accounts with 
easy-to-guess user names, regardless of password, 
for given a valid user name, one (who's so inclined) 
can run some barrage of passwords and maybe get 
lucky). not the real definition, perhaps misguided, 
all comments are welcome. 


> I therefore 
> concentrate my effort on making sure attacks cannot 
> _succeed_, instead of trying to surround my machine 
> with a magic moat.

aha! truly enlightening, and a bright light at that. 




On Mon, 2009-01-05 at 15:38 -0800, Rick Moen wrote:
> Quoting Asheesh Laroia (asheesh at asheesh.org):
> 
> > I was going to make suggestions, but then I thought:
> > Rick will say everything I will.
> > 
> > So I waited, and now Rick has again impressed me with the sanity and 
> > referencing of his analysis. Cheers!
> 
> Well, thank you indeed!
> 
> One point of clarification, to my earlier post:  The term "joe account",
> if you look it up, is defined as "account with the password set the same
> as the username".  One gathers that there might have been some eponymous
> Joseph with username "joe" who found password "joe" easiest to remember.
> 
> However, what I really meant was an extension of that concept:  I meant
> "account with easily guessable password", not just password literally
> the same as username.  The scripts that roam the Internet attempting
> to brute-force anything that looks like an sshd work based on lists of
> plausible, common passwords to attempt with a related list of plausible,
> common usernames.
> 
> > The way I'd phrase one point is: Your time spent fiddling with iptables 
> > here is probably time wasted, as per his hotel break-in analogy.
> 
> Right.  
> 
> The only think I try to do on my own iptables setup is "bogon filtering"
> -- rejecting packets with not-valid IPs for the side of the network they
> arrive on.  I try not to rely on hostaccess (/etc/hosts.allow,
> /etc/hosts.deny) blocking, either.
> 
> Why?  Because, if a process is vulnerable to attack, it's smarter to
> either not run it at all or not expose it to _any_ network.  I therefore
> concentrate my effort on making sure attacks cannot _succeed_, instead
> of trying to surround my machine with a magic moat.
> 
> The only exception is that leafnode, which I run for locally defined
> NNTP newsgroups, has no capability for access control, which means by
> itself it would be vulnerable to "comment spam" via remote NNTP.  So, 
> I use /etc/hosts.allow to permit NNTP connections _only_ from IP
> addresses of people (like Daniel Gimpelevich) who've requested it, and
> have this stuff in /etc/hosts.deny to block all others:
> 
> leafnode: ALL
> news: ALL
> nntp: ALL
> 
> (Only one of those is needed, but I was too lazy to figure out which
> one.)
> 
> 
> _______________________________________________
> sf-lug mailing list
> sf-lug at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/sf-lug
>

More information about the sf-lug mailing list