On 01/04/2012 10:59 PM, Lamar Owen wrote:
> [Distilling to the core matter; everything else is peripheral.]
>
<snip>
>
> It is a safe assumption that there are httpd exploits in the wild, that
> are not known by the apache project, that specifically attempt to grab
> /etc/shadow and send to the attacker. It's also a safe assumption that
> the attacker will have sufficient horsepower to crack your password from
> /etc/shadow in a 'reasonable' timeframe for an MD5 hash. So you don't
> allow password authentication and you're not vulnerable to a remote
> /etc/shadow brute-forcing attack regardless of how much horsepower the
> attacker can throw your way, and regardless of how the attacker got your
> /etc/shadow (you could even post it publicly and it wouldn't help them
> any!).
>
Excellent text. This should be published on some Blog, or CentOS wiki maybe.
Thank you for this. Concise and practical. Wow. Thanks again!
--
Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe
Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
