Blackhole
Steve Phillips
steve at focb.co.nz
Wed Apr 13 22:59:35 UTC 2005
On Wed, 13 Apr 2005, Wayne Pinette wrote:
> Actually, this does make the box more secure. It is more secure because
> every *nix system on the planet has a root account which,
> if you have an open ssl/telnet/ftp/sftp connection to the outside world
> gives a bored/bad hacker soemthing to focus on.
> Mathematics alone state that sooner or later, if left alone, someone
> hammering on an open root account for a password
> is going to get it.
except, with the advent of backoff times and key exchange times, brute
forcing an 8 character password over a network connection that has the
potential to use every possible character will take you years (literaly)
to brute force.
policy here makes the box far more secure than any "disallow root logins"
setting, if you are using weak passwords or short passwords or are not
changing your root password reguarly (once every few months should
suffice) then yes, expect to get hacked, but claiming that disallowing
root logins is secure is an urban myth. Good admins also regulary read
their logs.
> Now, if you have root set so as to not be able to login remotely, as
> most do on their systems, Mathematically it's impossible :-).
Yes, however it is also "mathmatically possible" to crack a user account
and from here run a local exploit (they are far more readily available)
and poof, its game over. hell, its actually easier to find a listening
port and find a remotely exploitable way in that way, statistically you
have far more chance of breaking into a box that way than trying to brute
force root over an ssh link. (it would prolly take you a fair few years
less time and the admin is less likely to pick it up)
> I wish I had a penny (literally) for every attempt on
> root/postgres/mysql/oracle/apache/<enter standard name here>
> over ssh or sftp every day. Unfortunately I don't :-(
worms are a wonderful thing, but then worms that try to guess from a
limited number of passwords to someone actually trying to brute force your
root login are as alike as peas and oranges.
I also wish I had a penny for every attemt to break into my "IIS" web
server, or a penny for every e-mail spam message I get or every worm that
comes knocking too, but sadly I dont, it still does not make disabling the
root login "more secure", the only thing that allows is for admins to
choose inherently weak passwords because they live in a world where
people are "not able to h4x0r rewt coz I turned it off !", which IMHO
would make the box _less_ secure.
--
Steve.
More information about the redhat-list
mailing list