On 01/-10/-28163 02:59 PM, Peter SJF Bance wrote:
> To be honest, this doesn't sound like a huge issue - if a single user/pass
> pair is being tried every 12 hours, the simplest defence will be to:
>
> a) Not have guessable usernames;
> b) Not permit remote login as root; and
> c) Ensure passwords are not simple dictionary/hybrid words.
>
> This way, even if c) is not true (i.e. users are a bit daft and use simple
> passwords), it will take an infeasible amount of time for a dictionary
> attack to succeed - one guess every 12 hours, multiplied by the number of
> attempts it might take to succeed, and you're probably into the order of
> millennia!
>
I think you miss the possibilities offered by the structure of the
attack.
Think of it as all of people in India have been told to try to hack
into Marconi's server. What's more they've all been told to try to get
into a single account: simon. And lastly, all 1 billion people in India
have split up all the different ways to make a 8 character alpha-numeric
password: 3.3 billion possibilities. They each have their own IP in
this "thought" example. That means that each person only has to try at
most 4 different passwords on their list of things to try, most have 3.
One of them will find it and report it back to the mothership.
Heck, after they make their 4 tries on the simon account, they can try
the joe account with the same password list.
Heck, they can probably "clean the slate", by using the simon password
they found as a group to keep their IP from getting banned before they
move on.
Now, I admit that not all of India is going to do this, and that even 1
billion addresses is a large chunk of the IP4 address space, but it's
intended to be a simplistic illustration....
I think this is the realm of what Marconi's worried about. And why the
SYNC feature in DenyHosts is very valuable.
And even satisfying your "c" requirement, I see plenty of users typing
"1234qwer" as their password....
------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing.
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
Denyhosts-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/denyhosts-user
