Blackhole

Steve Phillips steve at focb.co.nz
Wed Apr 13 22:59:35 UTC 2005


On Wed, 13 Apr 2005, Wayne Pinette wrote:

> Actually, this does make the box more secure.  It is more secure because
> every *nix system on the planet has a root account which,
> if you have an open ssl/telnet/ftp/sftp connection to the outside world
> gives a bored/bad hacker soemthing to focus on.
> Mathematics alone state that sooner or later, if left alone, someone
> hammering on an open root account for a password
> is going to get it.

except, with the advent of backoff times and key exchange times, brute 
forcing an 8 character password over a network connection that has the 
potential to use every possible character will take you years (literaly) 
to brute force.

policy here makes the box far more secure than any "disallow root logins" 
setting, if you are using weak passwords or short passwords or are not 
changing your root password reguarly (once every few months should 
suffice) then yes, expect to get hacked, but claiming that disallowing 
root logins is secure is an urban myth. Good admins also regulary read 
their logs.

> Now, if you have root set so as to not be able to login remotely, as
> most do on their systems, Mathematically it's impossible :-).

Yes, however it is also "mathmatically possible" to crack a user account 
and from here run a local exploit (they are far more readily available) 
and poof, its game over. hell, its actually easier to find a listening 
port and find a remotely exploitable way in that way, statistically you 
have far more chance of breaking into a box that way than trying to brute 
force root over an ssh link. (it would prolly take you a fair few years 
less time and the admin is less likely to pick it up)

> I wish I had a penny (literally) for every attempt on
> root/postgres/mysql/oracle/apache/<enter standard name here>
> over ssh or sftp every day.  Unfortunately I don't  :-(

worms are a wonderful thing, but then worms that try to guess from a 
limited number of passwords to someone actually trying to brute force your 
root login are as alike as peas and oranges.

I also wish I had a penny for every attemt to break into my "IIS" web 
server, or a penny for every e-mail spam message I get or every worm that 
comes knocking too, but sadly I dont, it still does not make disabling the 
root login "more secure", the only thing that allows is for admins to 
choose inherently weak passwords because they live in a world where 
people are "not able to h4x0r rewt coz I turned it off !", which IMHO 
would make the box _less_ secure.

-- 
Steve.




More information about the redhat-list mailing list