[Beowulf] Re: "hobbyists"

Joe Landman landman at scalableinformatics.com
Fri Jun 20 06:28:40 PDT 2008


Robert G. Brown wrote:
> On Fri, 20 Jun 2008, Perry E. Metzger wrote:
> 
>>
>> "Robert G. Brown" <rgb at phy.duke.edu> writes:
>>> On Fri, 20 Jun 2008, Chris Samuel wrote:
>>>> ----- "Joe Landman" <landman at scalableinformatics.com> wrote:
>>>>
>>>>> People spend lots of time and effort on security theater.  Make up odd
>>>>> rules for passwords.  Make them hard to guess and crack.  Well, is
>>>>> that the vector for break-ins?  Weak passwords?
>>>>
>>>> Yeah - sadly.. :-(
>>>
>>> Do you have an recent contemporary evidence for that?
>>
>> Yes, Run a box with sshd on it connected to the internet and watch your
>> logs for a few days. You will find numerous attempts to try thousands
>> of possible account names and passwords -- brute force cracking.
> 
> Well, yeah, sure, I know about that as I DO watch my logs -- I just
> haven't heard of one of these attacks SUCCEEDING in pretty much forever,
> for obvious reasons.

Run pam_abl on your machine, and you can pretty much guarantee that the 
brute force attacks will not work, even if they miraculously guess the 
right password.  This presumes more than some small number of previous 
login failures.

[...]

>> Here is an extract from the log on a real machine, one of mine, from
>> last night:
>>
>> Jun 19 20:56:53 smaug sshd[2577]: Invalid user secretariat from 
>> 70.90.14.154
>> Jun 19 20:56:54 smaug sshd[2522]: Invalid user secretar from 70.90.14.154
>> Jun 19 20:56:55 smaug sshd[23949]: Invalid user present from 70.90.14.154
>> Jun 19 20:56:56 smaug sshd[3440]: Invalid user test from 70.90.14.154
>> Jun 19 20:56:57 smaug sshd[8809]: Invalid user test from 70.90.14.154
>> Jun 19 20:56:58 smaug sshd[21600]: Invalid user teste from 70.90.14.154
>> Jun 19 20:56:59 smaug sshd[314]: Invalid user teste from 70.90.14.154
> 
> Sure, it goes on and on.  I don't really LIKE seeing this, especially on
> a server with sensitive information, but that is precisely why one
> configures such servers with tight controls and runs a password checker.

Use pam_abl.  Really.  Even if the password were weak, and they guessed 
it on the 57th try, pam_abl will stop the login.  Read the manual. 
Adjust the config settings.

Our ssh logs are scary, have been for a while.  They aren't the scariest 
of our logs.

Even paranoids have enemies.


-- 
Joseph Landman, Ph.D
Founder and CEO
Scalable Informatics LLC,
email: landman at scalableinformatics.com
web  : http://www.scalableinformatics.com
        http://jackrabbit.scalableinformatics.com
phone: +1 734 786 8423
fax  : +1 866 888 3112
cell : +1 734 612 4615



More information about the Beowulf mailing list