break-in attempts on my server

[kentborg at borg.org (Kent Borg)]

On Mon, Nov 21, 2005 at 09:50:54AM -0500, Charles C. Bennett, Jr. wrote:
> I closed 22 at my firewall, opened a higher port, reconfigured sshd
> and haven't heard a peep out of them ever since.

Just remember, the machine I described being broken into was running
sshd on a non-standard port, and it was still rooted.  Install crucial
security fixes.  Keep those passwords plenty gnarly.

> Next time I do I'll be switching to a 'knock and enter' scheme: ping
> this port, ping that one and my ssh port magically appears on the
> third.

Appealing, particularly if you roll it yourself and so has some real
security.


On password choices:

When I need a login password (one for which attempts will be
throttled--encryption passwords must be much better), I do the
following.

I take 32-bits from /dev/random and I feed them into a program called
mnencode (http://www.tothink.com/mnemonic/).  It will spit out English
language words.  Feed it 32-bits and you will get results like:
iris-farmer-benny or person-london-multi or jumbo-joker-basil.  Easy
to remember yet they have 32-bits of entropy.  (Really.  Mndecode will
turn the words back into the original bits, so the three words are
equivalent to those bits, and as difficult to guess as 32 bits.)

Note, if your foe has access to your shadow file and can brute force
it, 32-bits of entropy isn't enough, but if there is a gatekeeper that
regulates the speed at which attempts are made (sshd), 32-bits is then
a lot.

Be careful with passwords which look gnarly but for which you can't
analyze their entropy content.  They might not be as good as you
think.

-kb