On 12 January 2015 at 11:58, P J P <pj.pandit@xxxxxxxxxxx> wrote:
On Tuesday, 13 January 2015 12:05 AM, Stephen John Smoogen wrote:
>I don't see how this is the case. All we have done is move the
>first line of the root-kit script to calling sudo via the password
>that was used to open the account up. Since many of Linux systems
>are single user boxes.. it is most likely going to work. If it fails
>then the majority of them just dump the warning email in
>/var/spool/mail/root which never gets read (from the number of boxes
> I have had to clean up).
Sorry, I didn't get it. Running root-kit script implies you already
have access to a machine. And the user has sudo(1) access enabled.
Sorry if I am misunderstanding but the feature is to address brute forcing the root account so that they do not get root access to the server. I am saying that this isn't a speed-bump because they are already trying to brute force all the accounts on the system and so if they get one, they will become root as they already have the password for the account. Thus I do not see how it solves the first problem.
>>And from looking at the sophistication of various worms these days..
>they are a lot smarter about guessing who owns the box and then trying
>various smart choices (since Fedora will select ssmoogen as my name it
>has shown up more often in brute forces by systems which I own).
That's possible. But the proposed feature is not meant to address this issue.
>I was going to say it is an informed speculation.. I have actually had to
>interview various people about weak passwords and why they chose them and
>the largest excuse is "Well I don't need to have a strong password for
>this.. its not like its root."
Yes, that is quite common. Which is precisely why we need to set hardened
default configurations.
I do not disagree. I just think that the sophistication of the malware robots is high enough that saying the above does not help hardening without further changes. [Adding a password creation tool to anaconda and gnome-first-boot to help people create 'stronger' passwords would seem to do more in hardening.]
---
Regards
-Prasad
http://feedmug.com
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Stephen J Smoogen.
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
