Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sloppy Linux Admins Enable Slow Brute-Force Attacks

Posted by kdawson on from the time-lapse-intrusion-monitering dept.

badger.foo passes on the report of Peter N. M. Hansteen that a third round of low-intensity, distributed brute-force attacks is now in progress — we earlier discussed the first and second rounds — and that sloppy admin practice on Linux systems is the main enabler. As before, the article links to log data (this time 770 apparently already compromised Linux hosts are involved), and further references. "The fact that your rig runs Linux does not mean you're home free. You need to keep paying attention. When your spam washer has been hijacked and tries to break into other people's systems, you urgently need to get your act together, right now."

10 of 391 comments (clear)

  1. Re:learn to.... by icydog · · Score: 4, Insightful

    How is salting relevant to over-the-network, slow brute force attacks that don't involve seeing the hashes?

  2. Re:Outward facing systems ... by quintus_horatius · · Score: 5, Insightful

    And perhaps set your SSH port to a non-standard port, where possible? Brute-force attackers seem to ignore high (> 1023) ports.

  3. Re:Outward facing systems ... by icydog · · Score: 5, Insightful

    I agree with your post if only one person needs access to the box (and i agree with PermitRootLogin no always). But while public key auth is great, it just isn't feasible for many applications. For example, imagine you're a cheap webhost that provides ssh, scp, sftp access to your users, Do you require them all to use public keys auth? 90% of them don't even know what that means. What a support headache.

    And public keys aren't always that secure either. There are probably still plenty of servers with weak keys from the Debian debacle. What do you do with those users if password authentication is disallowed? Just lock them out and make them call you for a key reset?

  4. overly paranoid by SuperBanana · · Score: 4, Insightful

    That system you have with SSH facing outwards - right now: PermitRootLogin no, PubkeyAuthentication yes, PasswordAuthentication no, Allowusers one-guy-only

    I'm sorry, but unless you have a laughably bad root password, this advice is unnecessary.

    Even at 1 connections a second, in an entire year, an attacker could only guess 525,960 combinations. 10 connections a second?(REALLY fast...) 5.2M/year.

    171,000 words in the English language, roughly. Pick two numbers, and now you're at 17 million combinations, and that's only assuming you put the numbers in one spot. Assuming they manage 10 connections a second, know the scheme you're using and hit it half-way (a HELL of a lot of assumptions in their favor) you're still looking at 1.6 years.

    Two english words and a number? 292 BILLION combinations.

    --
    Please help metamoderate.
    1. Re:overly paranoid by digitalchinky · · Score: 4, Insightful

      The parent is far from stupid as you put it - quite the opposite actually. You stick daemonshield or one of a hundred similar log monitors on your server and the job is done, you can even tweak them to watch for slow brute force attacks. What is actually laughable is the admin going to such extreme measures to secure some backwater server that requires umpteen minutes of dicking around whenever you move to a new remote machine just to log in. And then ignoring it because you think it is so damn impregnable.

      This fool littered highway, where is it exactly? I've been doing this crap near on 20 years now and I've never had root lost.

  5. A REALLY SLOW attack ... by Jerry · · Score: 5, Insightful

    This attack was first reported last November, eleven months ago, and again in April of this year, 180 days ago.

    IF the bad guys have been able to capture only 770 Linux boxes since April that is only slightly more than 4 boxes per day. At that rate it would take them 833 years to create a Linux bot farm equal in size to the 1.3 Million Windows bot farm recently reported. Out of the millions of Linux boxes in use 770 represents a vanishingly small threat.

    Using this "threat" as an excuse NOT to move from Windows to Linux, or to move from Linux back to Windows, would be similar to playing Russian roulette with a fully loaded revolver and hoping to survive.

    --

    Running with Linux for over 20 years!

  6. Re:Outward facing systems ... by Antique+Geekmeister · · Score: 4, Insightful

    And don't forget to keep it updated. And do not use FTP based on normal user passwords. And HTTP based on normal user passwords. And turn off rsh. And turn off telnet. And make sure people don't use the same passwords for your critical servers and their external bank accounts and web services. And rip Subversion and CVS out because of their continuing practice of storing your account passwords in plain-text. And make sure that your POP and IMAP servers are SSL protected, always. And make sure that your SMTPAUTH is done enctypred. And make sure that your boss does not send passwords to people via email.

    Etc., etc., etc. I'm sorry, but please don't pretend that strong passwords are enough to protect you from general attacks. And don't pretend that you can force users to pick good passwords.

  7. Re:A measely 6k attempts over 4 days? Who cares? by DeadPixels · · Score: 4, Insightful

    Because it involves Linux boxes, and nothing gets the /. crowd riled up more than an assertion that Linux suffers from drawbacks. :P

    You're right, though, in that good security practices should be just as effective in this case - which is why the title of the article is "Sloppy Linux Admins Enable Slow Bruteforce Attacks".

  8. my examples assume the attacker knows the scheme by SuperBanana · · Score: 4, Insightful

    The problem with 292 billion combinations or even just 17 million combinations is that your password will not be at the last point in the combination.

    My calculations on time involved the half-way mark, ie average time.

    However, you missed a more critical point: my examples assumed the the attacker knows exactly what combination you're using. Which he or she does not.

    Are your chosen words in English? Did you use punctuation? One number? Where is it? Did you substitute numbers for certain letters?

    They have NO IDEA. Scotch2!Foo. Simple, short, and completely bulletproof. I laugh at the idiots who sit there and pound away on complex root passwords. Sure, that can be done in production environments where you then set up an SSH host key so you can get in easily (and yes, root login is necessary sometimes- ever tried to scp an important system file? Pain in the fucking ass if you can't login as root.)

    Here's a simple test: run John overnight on your shadow file. If it can't guess your password, nobody's ever going to get in via ssh by guessing your root password. Ever. John tries passwords by the THOUSANDS per second...

    --
    Please help metamoderate.
  9. Re:Outward facing systems ... by cetialphav · · Score: 5, Insightful

    Port knocking is a good way to conceal that ssh is available.

    I guess it depends on what type of attacker you are trying to protect against. For attackers that are trolling around looking for easy targets, then things like this that add obscurity probably make sense. On the other hand, if I were in charge of a high value target, then I probably wouldn't bother. A high value target will have knowledgeable attackers who are very focused on exploiting you. In those cases, things like this are only mild inconveniences that will not make them give up. The port knocking sequence needed to open up ssh is not exactly a secret. It gets exposed in the clear to the network on every ssh connection. For high value targets, I would actually want the system as simple as possible to reduce the possiblity that a bug in one of the obscurity features actually becomes the attack vector.

    Using port knocking is like locking my car door. It makes it harder for lazy, stupid thieves to get into my car, but it does absolutely nothing for someone who really, really wants to steal my car because a good thief can bypass it in a trivial amount of time.