On Fri, Mar 14, 2014 at 4:30 AM, Scott Ferguson <scott.ferguson.debian.u...@gmail.com> wrote: > On 14/03/14 15:51, shawn wilson wrote: >> >> On Mar 14, 2014 12:13 AM, "Brad Alexander" <stor...@gmail.com >> <mailto:stor...@gmail.com>> wrote: >>> >> >>>>> >>>>> Due to this experience I would like to know what the best way to >> limit such problems is, especially when hosting web servers for users >> who may or may not installed unsecure applications on the web server. >>> >
> None of those methods are dependent on password access. The initial attack isn't. Post exploit is. Again, I'd think there are legal issues with auditing your clients' software making all of this moot (besides my recommendation for a layer 7 firewall). > Password security for the server (as distinct from user web > applications) *should* be part of any webserver security. Debian > provides dnsiff and john the ripper which are used in industry best > practice password auditing. > By default Debian implements md5 and shadow which are the 'basis' of > best practice password security (auditing are other practices add to > those things). > For most use cases, see hashcat - not jtr. Also default hash on debian is ssha per the $6$ in shadow - not md5. See: http://en.wikipedia.org/wiki/Crypt_%28C%29 It should also be noted - don't use md5 - ever. If you're dealing with web apps, use bcrypt or scrypt. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAH_OBiem65D-_gMJFsztCCGVqz+WcoDE8TptMzS==cyizp7...@mail.gmail.com