[sf-lug] how to whack crackers
jim at well.com
Mon Jan 5 16:07:20 PST 2009
i've taken "joe account" to mean accounts with
easy-to-guess user names, regardless of password,
for given a valid user name, one (who's so inclined)
can run some barrage of passwords and maybe get
lucky). not the real definition, perhaps misguided,
all comments are welcome.
> I therefore
> concentrate my effort on making sure attacks cannot
> _succeed_, instead of trying to surround my machine
> with a magic moat.
aha! truly enlightening, and a bright light at that.
On Mon, 2009-01-05 at 15:38 -0800, Rick Moen wrote:
> Quoting Asheesh Laroia (asheesh at asheesh.org):
> > I was going to make suggestions, but then I thought:
> > Rick will say everything I will.
> > So I waited, and now Rick has again impressed me with the sanity and
> > referencing of his analysis. Cheers!
> Well, thank you indeed!
> One point of clarification, to my earlier post: The term "joe account",
> if you look it up, is defined as "account with the password set the same
> as the username". One gathers that there might have been some eponymous
> Joseph with username "joe" who found password "joe" easiest to remember.
> However, what I really meant was an extension of that concept: I meant
> "account with easily guessable password", not just password literally
> the same as username. The scripts that roam the Internet attempting
> to brute-force anything that looks like an sshd work based on lists of
> plausible, common passwords to attempt with a related list of plausible,
> common usernames.
> > The way I'd phrase one point is: Your time spent fiddling with iptables
> > here is probably time wasted, as per his hotel break-in analogy.
> The only think I try to do on my own iptables setup is "bogon filtering"
> -- rejecting packets with not-valid IPs for the side of the network they
> arrive on. I try not to rely on hostaccess (/etc/hosts.allow,
> /etc/hosts.deny) blocking, either.
> Why? Because, if a process is vulnerable to attack, it's smarter to
> either not run it at all or not expose it to _any_ network. I therefore
> concentrate my effort on making sure attacks cannot _succeed_, instead
> of trying to surround my machine with a magic moat.
> The only exception is that leafnode, which I run for locally defined
> NNTP newsgroups, has no capability for access control, which means by
> itself it would be vulnerable to "comment spam" via remote NNTP. So,
> I use /etc/hosts.allow to permit NNTP connections _only_ from IP
> addresses of people (like Daniel Gimpelevich) who've requested it, and
> have this stuff in /etc/hosts.deny to block all others:
> leafnode: ALL
> news: ALL
> nntp: ALL
> (Only one of those is needed, but I was too lazy to figure out which
> sf-lug mailing list
> sf-lug at linuxmafia.com
More information about the sf-lug