Re:Slowing down dictionary attacks
on
OpenSSH 4.2 released
·
· Score: 5, Informative
For your item "2", on Linux, you can use iptables "recent" module to limit the time between new connections from the same IP. That cut the dictionary attacks on my server on the first attempt:
iptables -A INPUT -j ACCEPT -p tcp ! --syn -s 0/0 -d (outer ip/net) (you probably have this on your firewall already, allowing previously established connections)
iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --update --seconds 15 -j DROP iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --set -j ACCEPT
These two will only allow new connections from the same IP with 15s intervals between them. Add them to your iptables setup scripts (or replace them where you ACCEPT ssh, if that's the case).
- I stand corrected: SMS is not automatically encrypted by the network, but they can be easily encrypted by the "password server", and decrypted on the receiving mobile by a local app (java?). Thank you for your most polite correction.
- Yes you can fake the originating MIN of the request SMS, but tell me, how do you receive the response without compromising a SIM?? The server will answer only to the CORRECT, known phone. Even if you somehow "sniff" the traffic to get the answer, and if it's not encrypted, the legit phone would get it too, as a sign of breach.
- If the user does not delete the SMS, and if he doesn't use a PIN to lock the phone, and if he doesn't use a password-protected decryption app, and if he loses the phone, I agree there's a problem. If he writes down the passwords and give them away too.
- If you count with the cooperation of the cell network staff - or the cooperation of any remote communication system staff - and do not use encryption, then there is no solution for the proposed remote password storage.
- It was not an "authoritive answer", it was a "possible solution", posted for "peer review" and brainstorming, but it's all my fault for forgetting that this is Slashdot, where everything posted is an "authoritative answer"...
Nothing, because they cannot belong to the same universe.
The same is valid for the two concepts "from any computer" and "secure from the outside world". You can't have both. "Any computer" can have keyloggers, screen capturers, mouse trackers, mind readers, whatever it takes to snatch the passwords on the way to your employee.
Plugging the USB memory to "any computer" to retrieve the passwords is also dangerous for similar reasons.
Either you have all the passwords stored in autonomous devices from where your employee can safely retrieve them (for example PDAs or some mobile phones, which have a protected "password storage" feature), or a centralized database which can only be queried by 'safe' clients.
A possible centralized solution: Your employee calls a number or sends a SMS from his mobile. On the other side, a system which knows the 'trusted' mobile numbers recognizes him from the caller ID (and optionally a user password), retrieves the one password he queried for, and sends it back via SMS.
SMS (at least over GSM networks) are encrypted, and GSM SIM cards are quite hard (impossible) to counterfeit.
This could be easily implemented with GSM phones or GSM modem modules connected to the server, and SMS handling tools freely available.
A dynamic IP normally means that the computer on the other side is a home user ISP subscriber.
Generally the ISPs have their mail servers, and subscribers should send email through them.
If an ISP allowed one of its subscribers to send spam from his dynamic IP, it means it doesn't care that this is done, so spam can potentially come from any IP in that ISP-owned block. Blocking the whole IP block won't harm nice users sending mail through the ISP's smtp server (unless the ISP is stupid enough to place it in the same block as the DHCP clients).
When I add such a block to my blacklist, I'm only "denying communications" to people trying to send me emails from a dynamic IP. I actually don't care if I haven't received one single spam from that block. One of my milter rules regex-denies relay names with dynamic,dhcp,dial-up,dialin,dialip,dsl-,dl-,pool-, etc.
The same way, I reserve the right to not answer calls which have no caller ID, or to not open anonymous snail mail.
So I'm not "discriminating"; I'm undiscriminatingly refusing to get email from dynamic IPs.
For those who complain they have the 'right' to have their own smtp server from home, well, get yourself a fixed IP, or a whole block, set up your DNS and mx records right, and I'll be glad to trust you once.
If you think it's bad to "discriminate against any group of people blablah", then you are probably against ID and luggage check when boarding airplanes, right? The group (airplane travellers) are being "discriminated" based on the history of very few individuals within that group.
If you get this route, you'll soon reason that you can only delete a spam before reading it if you have seen the sender before: Not doing that would be "discriminating" the sender just because of the "history" of the other "Cheap V14GR4!!" individuals.
>Somebody on that linux-driven network got zombied.
Not all spam comes from zombies. If the ISP is spam-tolerant, you may just have their subscribers sending spam.
Also, just because of the name of the ISP, I suppose it doesn't mean all their subscribers run linux, so you could have zombies there too.
Finally, I did not imply linux cannot be zombied, but if my smtp server is a zombie, it's a very lazy one, or I'm also rooted, because tethereal showed about 200 outgoing smtp connections yesterday, which are legit and accounted for on mail.log (and a lot of those are retries to a couple of unresponsive servers).
I'm interested in understanding that. Could someone enlighten me?
My domain and IPs are listed as "Inoffensive", but it does show an increase of mail volume in one of my IPs, and the decrease on another yesterday (I've changed my sendmail outgoing IP; it was using the wrong eth0 aliases).
I know I'm not sending emails to 'spam trap' addresses (we do not send unsolicited mail), my linux server is not an open relay nor a zombie, and I block outgoing smtp coming from the intranet (so there couldn't be a windows zombie inside).
So how did it 'notice' the shift of my email traffic from one ip to the other, in just one day, specially with the low volume of emails we send (there were about 200 outgoing emails from our server yesterday)? Creepy.
In Brazil, we have long learned to accept the fact that no gadget (Windows included) knows when the DST starts or ends correctly.
Twice a year, Windows PCs set to automatically adjust for DST get it wrong and confuse users.
This is because the government keeps changing the dates every year.
For debian (don't know about other distros) there is even a package to track the Brazilian DST start/end dates and adjust the system correctly, called tz-brazil!
This means that at a certain point, the tip of the retreating blade is "standing still" relative to the wind and producing no lift, while the rest of the blade is actually moving backwards through the air
If at a certain condition the tip of the retreating blade is "standing still" relative to the wind, and the copter (i.e. the center of the rotor) is moving forward, then there is no way for the rest of the blade to be moving backwards.
At this situation, if you take the speed (relative to wind) of each point of this blade when it's perpendicular to the direction of the moving copter, it's zero at the tip, and equal to the copter at the center of the rotor. If the copter is moving forward through the air, no part of the blade can be moving backwards through the air. In relation to the air, the slowest moving part of the blade is that tip with zero speed. All other parts of the blade have positive speed.
You only have to make really sure that no application, or action, or input, will in any possible case be able to cause any possible imaginable undesirable effect.
The compiler/language itself would have to be 100% secure too, so I wrote it in assembly. Here is the complete operating system; runs in most CPU architectures, and it's quite hardware independent:
HALT
Of course, if you add more functionality to the OS (or to the secure compilers), testing and certification process times grow exponentially.
Coulnd't this be a first (or disguised) step for making it impossible to recharge the cartridges?
HP should make more money on the cartridges than on the printer, but at least in Brazil is very common to get 'recharged' cartridges, for which HP makes no money (except once, for the first buyer).
Having any encoded protection/intelligence on the cartridge would make it very easy to: - make cartridges 'void' once they are emptied for the first time - make cartridges only work on the printer where it was first used - make cartridges send an email to the FBI if you recharge it
Can't less than $154 millions hire people who would happily sign a responsability waiver for NASA, board the oh-now-so-deadly shuttle and go fix Hubble personally?
Heck, a lot of people would do it for free, just for the ride!
People PAY to participate in sports more dangerous than a current shuttle mission!
When orbital space missions become as safe as a commercial flight, there will be the dangerous interplanetary missions. Being on the edge is dangerous, but someone has to do it, and some people love to do it.
As of now, space missions ARE dangerous. That's why they don't send civilian, children's teachers there. Huh, no, wait...
...the creature's growing attraction to the humans makes it harder and harder for it to stay hidden. The cold, shrink-wrapped supplies it has been feeding from tastes like plastic, and something inside it slowly takes the form of a desire for warm, wet, red flesh...
Today: Windows Media Center Extender
Next: MSN/Instant Messaging Extender (comes with a MS keyboard!)
Then...
Outlook Express Extender
Windows XP Home Extender
...and voilà, Microsoft has embraced and extended the PC hardware market.
Re:And now we are waiting for uclibc ver 1.0
on
BusyBox Goes 1.0.0
·
· Score: 1
Sorry, I didn't mean to imply you were doing anything to be hall-of-shamed of.
I read your "complete linux system (without kernel)" part (yes, puposedly taken out-of-context) and smiled thinking about Stallman saying: you should name it "Busybox/Linux" or "GNU/Linux"!! A "complete linux system (without kernel)" is an oxymoron! The "Linux" on the name is just the kernel!
oh well, someone mod me down for a failed joke attempt...
Re:And now we are waiting for uclibc ver 1.0
on
BusyBox Goes 1.0.0
·
· Score: 1
...complete linux system (without kernel)......is that the sound of a long-haired, bearded, GNU guy clenching his teeth?
Microsoft (MSFT) has announced the the MS Court Room, a complete Law Office suite including contact management, presentation tools, video production, criminal database search, and many other features to make sure your Court Experience will be embraced and extended.
Also included is a new technology called ClippyLaw, which will automatically call "Objection!" for you, and a state-of-the-art Evidence Manipulation/Statement Retouching software based on News Media Player.
Updated templates for Anti-Trust cases can be downloaded from the Microsoft web site.
I guess they didn't take into account the 10-year effect of uncovering your ear from the warmth of a hood to the cold Nordic weather everytime you had to answer the cellphone being outdoors.
I bet they didn't have that on the control group!
(is slashdot slashdotted? I'm getting a lot of 503)
Note that the study was performed with analog-phones only.
Analog phones (which survive mostly in the US) transmit 100% of the time during a call (actually it starts transmitting even before the other party answers).
GSM phones transmit at 1/8 of the time - maximum (if you are not using data - but then when you are doing GPRS/EDGE, you don't have the phone in your ears). If you use half-rate it's 1/16 of the time. If it's AMR and DTX (discontinuous transmission), it can be even less.
TDMA phones transmit at 1/3 of the time.
CDMA (IS2000) phones transmission can vary (similar to DTX), but its more than the GSM minimum - max power is lower, frequency is spreaded, yaddayadda, but its more RF per time.
So, if you take GSM at it's 1/8 of the time, would that mean 80 years of usage? Maybe not. Max GSM handheld power is higher than max Analog handheld power (but then, you only use it if you are FAR from a cell site), and I bet we use cell phones more and more often if compared to 10 years ago.
So let's say 60 years to be safe? And let's alternate the cell phone ear, so it's 120?
none of the methods posted here which used to bring in books on the results work anymore.
site:google.com inurl:isbn isn't either.
kudos guys, if you managed to destroy it.
I've never seen such an amount of childish and selfish babbling together.
"If I see it, it's mine, I have the right to save a copy for reference". Yeah, every time you go to the movies you have the right to bring home a DVD with the content.
The arguments some people are using here to defend the stupid right to home-print a whole book (wasting more money than buying one) are similar to those used by satellite-tv pirates.
Living in society implies the acceptance of certain rules. I lend you my screwdriver if you agree to return it. I won't put surveillance cameras in the store if you agree not to shoplift. I'll let you browse this content if you agree not to copy it. Unfortunately when a minority of brats breaks the rules in the name of '100% freedom', everybody loses one more bit of the 'community freedom'.
Slashdot Mirror
For your item "2", on Linux, you can use iptables "recent" module to limit the time between new connections from the same IP. That cut the dictionary attacks on my server on the first attempt:
iptables -A INPUT -j ACCEPT -p tcp ! --syn -s 0/0 -d (outer ip/net)
(you probably have this on your firewall already, allowing previously established connections)
iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --update --seconds 15 -j DROP
iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --set -j ACCEPT
These two will only allow new connections from the same IP with 15s intervals between them. Add them to your iptables setup scripts (or replace them where you ACCEPT ssh, if that's the case).
BR,
Joao S Veiga
- I stand corrected: SMS is not automatically encrypted by the network, but they can be easily encrypted by the "password server", and decrypted on the receiving mobile by a local app (java?). Thank you for your most polite correction.
- Yes you can fake the originating MIN of the request SMS, but tell me, how do you receive the response without compromising a SIM?? The server will answer only to the CORRECT, known phone. Even if you somehow "sniff" the traffic to get the answer, and if it's not encrypted, the legit phone would get it too, as a sign of breach.
- If the user does not delete the SMS, and if he doesn't use a PIN to lock the phone, and if he doesn't use a password-protected decryption app, and if he loses the phone, I agree there's a problem. If he writes down the passwords and give them away too.
- If you count with the cooperation of the cell network staff - or the cooperation of any remote communication system staff - and do not use encryption, then there is no solution for the proposed remote password storage.
- It was not an "authoritive answer", it was a "possible solution", posted for "peer review" and brainstorming, but it's all my fault for forgetting that this is Slashdot, where everything posted is an "authoritative answer"...
an irresistible force meets an immovable object?
Nothing, because they cannot belong to the same universe.
The same is valid for the two concepts "from any computer" and "secure from the outside world". You can't have both. "Any computer" can have keyloggers, screen capturers, mouse trackers, mind readers, whatever it takes to snatch the passwords on the way to your employee.
Plugging the USB memory to "any computer" to retrieve the passwords is also dangerous for similar reasons.
Either you have all the passwords stored in autonomous devices from where your employee can safely retrieve them (for example PDAs or some mobile phones, which have a protected "password storage" feature), or a centralized database which can only be queried by 'safe' clients.
A possible centralized solution: Your employee calls a number or sends a SMS from his mobile. On the other side, a system which knows the 'trusted' mobile numbers recognizes him from the caller ID (and optionally a user password), retrieves the one password he queried for, and sends it back via SMS.
SMS (at least over GSM networks) are encrypted, and GSM SIM cards are quite hard (impossible) to counterfeit.
This could be easily implemented with GSM phones or GSM modem modules connected to the server, and SMS handling tools freely available.
>your closest relative (the chimpazee) is 99.7% compatible genetically
_ page/0,5744,16453082%255E30417,00.html
The breaking news is that it's possibly 96%:
http://www.theaustralian.news.com.au/common/story
I'm not bringing this to counter your well-written argument. It opens even more 'space' for possible changes before becoming another species.
A dynamic IP normally means that the computer on the other side is a home user ISP subscriber.
, etc.
Generally the ISPs have their mail servers, and subscribers should send email through them.
If an ISP allowed one of its subscribers to send spam from his dynamic IP, it means it doesn't care that this is done, so spam can potentially come from any IP in that ISP-owned block. Blocking the whole IP block won't harm nice users sending mail through the ISP's smtp server (unless the ISP is stupid enough to place it in the same block as the DHCP clients).
When I add such a block to my blacklist, I'm only "denying communications" to people trying to send me emails from a dynamic IP. I actually don't care if I haven't received one single spam from that block. One of my milter rules regex-denies relay names with dynamic,dhcp,dial-up,dialin,dialip,dsl-,dl-,pool-
The same way, I reserve the right to not answer calls which have no caller ID, or to not open anonymous snail mail.
So I'm not "discriminating"; I'm undiscriminatingly refusing to get email from dynamic IPs.
For those who complain they have the 'right' to have their own smtp server from home, well, get yourself a fixed IP, or a whole block, set up your DNS and mx records right, and I'll be glad to trust you once.
If you think it's bad to "discriminate against any group of people blablah", then you are probably against ID and luggage check when boarding airplanes, right? The group (airplane travellers) are being "discriminated" based on the history of very few individuals within that group.
If you get this route, you'll soon reason that you can only delete a spam before reading it if you have seen the sender before: Not doing that would be "discriminating" the sender just because of the "history" of the other "Cheap V14GR4!!" individuals.
Excuse me but,
>Somebody on that linux-driven network got zombied.
Not all spam comes from zombies. If the ISP is spam-tolerant, you may just have their subscribers sending spam.
Also, just because of the name of the ISP, I suppose it doesn't mean all their subscribers run linux, so you could have zombies there too.
Finally, I did not imply linux cannot be zombied, but if my smtp server is a zombie, it's a very lazy one, or I'm also rooted, because tethereal showed about 200 outgoing smtp connections yesterday, which are legit and accounted for on mail.log (and a lot of those are retries to a couple of unresponsive servers).
BR,
Joao S Veiga
Yeah,
Take 200.155.79.253 (my usual home (dynamic) IP address).
First Seen: Never
Daily avg: nil
Yesterday: nil
Not on any blacklist
Current reputation: Raised Concern ??
I'd agree with "Suspicious", for being in a dynamic broadband range, but "Raised Concern"?
I'm interested in understanding that. Could someone enlighten me?
My domain and IPs are listed as "Inoffensive", but it does show an increase of mail volume in one of my IPs, and the decrease on another yesterday (I've changed my sendmail outgoing IP; it was using the wrong eth0 aliases).
I know I'm not sending emails to 'spam trap' addresses (we do not send unsolicited mail), my linux server is not an open relay nor a zombie, and I block outgoing smtp coming from the intranet (so there couldn't be a windows zombie inside).
So how did it 'notice' the shift of my email traffic from one ip to the other, in just one day, specially with the low volume of emails we send (there were about 200 outgoing emails from our server yesterday)? Creepy.
For taking $7 millions away from a spammer.
If you take 10 bucks from a spammer, you only deserve 10 bucks.
In Brazil, we have long learned to accept the fact that no gadget (Windows included) knows when the DST starts or ends correctly.
Twice a year, Windows PCs set to automatically adjust for DST get it wrong and confuse users.
This is because the government keeps changing the dates every year.
For debian (don't know about other distros) there is even a package to track the Brazilian DST start/end dates and adjust the system correctly, called tz-brazil!
Joao
This means that at a certain point, the tip of the retreating blade is "standing still" relative to the wind and producing no lift, while the rest of the blade is actually moving backwards through the air
If at a certain condition the tip of the retreating blade is "standing still" relative to the wind, and the copter (i.e. the center of the rotor) is moving forward, then there is no way for the rest of the blade to be moving backwards.
At this situation, if you take the speed (relative to wind) of each point of this blade when it's perpendicular to the direction of the moving copter, it's zero at the tip, and equal to the copter at the center of the rotor. If the copter is moving forward through the air, no part of the blade can be moving backwards through the air. In relation to the air, the slowest moving part of the blade is that tip with zero speed. All other parts of the blade have positive speed.
Songs must be quite short in Finland, or their CDs have pretty bad quality.
Yes, it is.
You only have to make really sure that no application, or action, or input, will in any possible case be able to cause any possible imaginable undesirable effect.
The compiler/language itself would have to be 100% secure too, so I wrote it in assembly. Here is the complete operating system; runs in most CPU architectures, and it's quite hardware independent:
HALT
Of course, if you add more functionality to the OS (or to the secure compilers), testing and certification process times grow exponentially.
ouch. it's 4billion BINARY digits!
If all you want to do is search for mystic stuff inside the number, you don't need the CD with its measly 1.7bi digits.
Save your bandwidth and just go here to search within 4bi digits.
Coulnd't this be a first (or disguised) step for making it impossible to recharge the cartridges?
HP should make more money on the cartridges than on the printer, but at least in Brazil is very common to get 'recharged' cartridges, for which HP makes no money (except once, for the first buyer).
Having any encoded protection/intelligence on the cartridge would make it very easy to:
- make cartridges 'void' once they are emptied for the first time
- make cartridges only work on the printer where it was first used
- make cartridges send an email to the FBI if you recharge it
Can't less than $154 millions hire people who would happily sign a responsability waiver for NASA, board the oh-now-so-deadly shuttle and go fix Hubble personally?
Heck, a lot of people would do it for free, just for the ride!
People PAY to participate in sports more dangerous than a current shuttle mission!
When orbital space missions become as safe as a commercial flight, there will be the dangerous interplanetary missions. Being on the edge is dangerous, but someone has to do it, and some people love to do it.
As of now, space missions ARE dangerous. That's why they don't send civilian, children's teachers there. Huh, no, wait...
...the creature's growing attraction to the humans makes it harder and harder for it to stay hidden. The cold, shrink-wrapped supplies it has been feeding from tastes like plastic, and something inside it slowly takes the form of a desire for warm, wet, red flesh...
Today: Windows Media Center Extender
Next: MSN/Instant Messaging Extender (comes with a MS keyboard!)
Then...
Outlook Express Extender
Windows XP Home Extender
...and voilà, Microsoft has embraced and extended the PC hardware market.
I read your "complete linux system (without kernel)" part (yes, puposedly taken out-of-context) and smiled thinking about Stallman saying: you should name it "Busybox/Linux" or "GNU/Linux"!! A "complete linux system (without kernel)" is an oxymoron! The "Linux" on the name is just the kernel!
oh well, someone mod me down for a failed joke attempt...
...complete linux system (without kernel)... ...is that the sound of a long-haired, bearded, GNU guy clenching his teeth?
Microsoft (MSFT) has announced the the MS Court Room, a complete Law Office suite including contact management, presentation tools, video production, criminal database search, and many other features to make sure your Court Experience will be embraced and extended.
Also included is a new technology called ClippyLaw, which will automatically call "Objection!" for you, and a state-of-the-art Evidence Manipulation/Statement Retouching software based on News Media Player.
Updated templates for Anti-Trust cases can be downloaded from the Microsoft web site.
I guess they didn't take into account the 10-year effect of uncovering your ear from the warmth of a hood to the cold Nordic weather everytime you had to answer the cellphone being outdoors.
I bet they didn't have that on the control group!
(is slashdot slashdotted? I'm getting a lot of 503)
Note that the study was performed with analog-phones only.
Analog phones (which survive mostly in the US) transmit 100% of the time during a call (actually it starts transmitting even before the other party answers).
GSM phones transmit at 1/8 of the time - maximum (if you are not using data - but then when you are doing GPRS/EDGE, you don't have the phone in your ears). If you use half-rate it's 1/16 of the time. If it's AMR and DTX (discontinuous transmission), it can be even less.
TDMA phones transmit at 1/3 of the time.
CDMA (IS2000) phones transmission can vary (similar to DTX), but its more than the GSM minimum - max power is lower, frequency is spreaded, yaddayadda, but its more RF per time.
So, if you take GSM at it's 1/8 of the time, would that mean 80 years of usage? Maybe not. Max GSM handheld power is higher than max Analog handheld power (but then, you only use it if you are FAR from a cell site), and I bet we use cell phones more and more often if compared to 10 years ago.
So let's say 60 years to be safe? And let's alternate the cell phone ear, so it's 120?
I'll take it.
Looks like you're right.
none of the methods posted here which used to bring in books on the results work anymore.
site:google.com inurl:isbn isn't either.
kudos guys, if you managed to destroy it.
I've never seen such an amount of childish and selfish babbling together.
"If I see it, it's mine, I have the right to save a copy for reference". Yeah, every time you go to the movies you have the right to bring home a DVD with the content.
The arguments some people are using here to defend the stupid right to home-print a whole book (wasting more money than buying one) are similar to those used by satellite-tv pirates.
Living in society implies the acceptance of certain rules. I lend you my screwdriver if you agree to return it. I won't put surveillance cameras in the store if you agree not to shoplift. I'll let you browse this content if you agree not to copy it. Unfortunately when a minority of brats breaks the rules in the name of '100% freedom', everybody loses one more bit of the 'community freedom'.