Re: an actual hacked machine, in a preserved state

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Having been on vacation, I'm coming in very late in this....

Les Mikesell wrote:
> On Tue, Jan 3, 2012 at 4:28 AM, Bennett Haselton <bennett@xxxxxxxxxxxxx>
> wrote:
<snip>
>> OK but those are *users* who have their own passwords that they have
>> chosen, presumably.  User-chosen passwords cannot be assumed to be
>> secure against a brute-force attack.  What I'm saying is that if you're
>> the only user, by my reasoning you don't need fail2ban if you just use a
>> 12-character truly random password.
>
> But you aren't exactly an authority when you are still guessing about
> the cause of your problem, are you?  (And haven't mentioned what your
> logs said about failed attempts leading up to the break in...).

Further, that's a ridiculous assumption. Without fail2ban, or something
like it, they'll keep trying. You, instead, Bennett, are presumably
generating that "truly random" password[1] and assigning it to all your
users[2], and not allowing them to change their passwords, and you will be
changing it occasionally and informing them of the change.[3]

Right?

        mark

1. How will you generate "truly random"? Clicks on a Geiger counter? There
is no such thing as a random number generator.
2. Which, being "truly random", they will write down somewhere, or store
it on a key, labelling the file "mypassword" or some such.
3. How will you notify them of their new password - in plain text?

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux