Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] ssh keys question



On Sat, Jun 18, 2016 at 01:01:32AM -0400, Bill Ricker wrote:
> But that still leaves me with executing the 2^32 dictionary attack.
> 
>  Which is likely only interesting if i've stolen all your users' hashes
> already and you have poor salts and hashes so i can rainbow table to find
> multiple users at once. Doing 2^32 trials coming in the front door of a
> server is likely to get noticed as a DOS, aside from taking literally
> forever.

This works pretty well *if*:

- you really do rate-limit incoming connections. If you didn't
  do that right, the rate-limit becomes your total bandwidth during
  the period of time that you don't notice the attack. Do you have
  suitable monitors set up? Can they alert you? Do you pay attention to
  such alerts?

- you rate-limit other authenticated services, too. Got a mail
  server running? Your POP3 or IMAP4 needs to be rate-limited or do
  authentication completely separately from the system method.

- you don't run any nonauthenticated services that might have a flaw that
  allows an attacker to read /etc/shadow. (Everyone uses shadow passwords
  these days, right? No legacy systems without it?)  Most web servers
  are good about this, but then they let all sorts of things run via CGI,
  php-fm, mod-perl, whatever. All of those are attackable areas.

- all your users are as good and conscientious as you are. This
  is easiest if they don't exist. AllowUsers, one by one, is a
  good move, too.

-dsr-





BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org