On Sat, Jun 18, 2016 at 01:01:32AM -0400, Bill Ricker wrote: > But that still leaves me with executing the 2^32 dictionary attack. > > Which is likely only interesting if i've stolen all your users' hashes > already and you have poor salts and hashes so i can rainbow table to find > multiple users at once. Doing 2^32 trials coming in the front door of a > server is likely to get noticed as a DOS, aside from taking literally > forever.
This works pretty well *if*: - you really do rate-limit incoming connections. If you didn't do that right, the rate-limit becomes your total bandwidth during the period of time that you don't notice the attack. Do you have suitable monitors set up? Can they alert you? Do you pay attention to such alerts? - you rate-limit other authenticated services, too. Got a mail server running? Your POP3 or IMAP4 needs to be rate-limited or do authentication completely separately from the system method. - you don't run any nonauthenticated services that might have a flaw that allows an attacker to read /etc/shadow. (Everyone uses shadow passwords these days, right? No legacy systems without it?) Most web servers are good about this, but then they let all sorts of things run via CGI, php-fm, mod-perl, whatever. All of those are attackable areas. - all your users are as good and conscientious as you are. This is easiest if they don't exist. AllowUsers, one by one, is a good move, too. -dsr- _______________________________________________ Discuss mailing list [email protected] http://lists.blu.org/mailman/listinfo/discuss
