On 12/07/2011 03:59 AM, Nicolas Thierry-Mieg wrote: > Lamar Owen wrote: >> On Tuesday, December 06, 2011 04:58:42 PM Lamar Owen wrote: >>> I happen to have a copy of an older brute-forcer dictionary here (somewhere) and it's very large and has lots of very secure-seeming passwords in it. >> >> I ran down the copy I have; here's an excerpt of one of the dictionaries: >> ++++++++ >> root:P7zkJTma >> root:5D8DY22 >> root:mc99ZR34Z >> root:IVEUFc >> root:JJc9DicA >> root:zzzzzzz >> root:4m3ric4n >> root:3nglish >> root:g0v3rm3nt >> root:4zur3 >> root:bl4ck >> root:blu3 >> root:br0wn >> root:cy4n >> root:crims0n >> root:d4rkblu3 >> root:d4rk >> root:g0ld >> ++++++++ >> >> Yeah, some of those would ordinarily be relatively secure-seeming passwords. > > alphanumeric only isn't so secure-seeming is it? Is this for admins who > log in with a cell phone instead of a real keyboard? ;-) > seriously: I thought the consensus was that a secure password should > contain at least one or more non-alphanumeric characters. The real bottom line is that the only way you should allow access to your machine is via keys ... having an ssh port exposed to the internet that allows password logins is, at some point, going to be breached if someone wants to breach it. You could substitute a | or a ! for some i's in the above passwords and the brute force checker will find those as well. The real issue is that passwords are not going to cut it as your primary security measure to keep people out. You need to limit the ssh port to allowed IP addresses (or subnets), you need to use keys (maybe even keys with pins as secondary option for more security) to access that "IP address controlled" ssh port, and you need to turn off remote root access and allow access from other users who need to run sudo to get root. If you leave a password controlled ssh port that allows root login exposed to the Internet, then the only reason it is not breached is that someone has not yet had a desire to breach it.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos