A Topic that needs to be discussed on next the QA meeting..
Andrew Farris
lordmorgul at gmail.com
Tue Mar 18 17:30:16 UTC 2008
Alan Cox wrote:
> On Tue, Mar 18, 2008 at 04:34:32AM -0700, Andrew Farris wrote:
>> Well I understand why those are a high risk, but with root at least the
>> attacker knows the username, normal usernames is a double blind brute force
>> right? I know my own system used to see many more root attempts than
>
> No - scanning tools use email data, web data and statistical tables of common
> usernames. Even a long time ago sending to usenet from
>
> stupidname at mybox.com
>
> resulting in dictionary attacks via ssh against anything in mybox.com with
> username stupidname, including in some cases trying each word in the posting
>
> Alan
Ok thanks, that makes sense for a larger picture I wasn't considering I guess.
I'm thinking along the lines of random attacker with a portscan on arbitrary
(desktop machine) IP ranges where one returns an ssh response, the most likely
user accounts to get attempted are root (does allow login by default) or known
service accounts (do not). Noone is likely to be reviewing logs, so attempts on
root's pass could go on for days and days and this wouldn't require anything so
sophisticated as data mining. That seems like unnecessarily risk to me for most
desktop users even if its lower risk.
I understand the need for root ssh to be open prior to firstboot, I don't
understand why it would need to remain that way unless an admin wanted it to be.
--
Andrew Farris <lordmorgul at gmail.com> www.lordmorgul.net
gpg 0xC99B1DF3 fingerprint CDEC 6FAD BA27 40DF 707E A2E0 F0F6 E622 C99B 1DF3
No one now has, and no one will ever again get, the big picture. - Daniel Geer
---- ----
More information about the fedora-test-list
mailing list