On 02/03/2015 03:44 PM, Always Learning wrote:> There should be a basic defence that when the password is wrong 'n'
> occasions the IP address is blocked automatically and permanently
> unless it is specifically allowed in IP Tables.
As has been mentioned, fail2ban does this.
However, the reason you want a password that is not easily bruteforced
has nothing to do with this, and all bruteforce attempts cannot be
blocked by this method. Scenario:
1.) There's some sort of security vulnerability that allows an intruder
to read an arbitrary file. This type of vulnerability (whether it be in
php, glibc, bash, apache httpd, or whatever) is not rare.
2.) Attacker uses said vulnerability to exfiltrate /etc/shadow.
3.) Attacker uses a large graphics card's GPU power, harnessed with CUDA
or similar, to run millions of bruteforce attempts per second on the
exfiltrated /etc/shadow, on their computer (not yours).
4.) After a few hours, attacker has your password (or at least a
password that hashes to the same value as your password), after
connecting to your system only once.
Now, there are the slow bruteforcers running out there, but those are
not the droids this change is looking for. By being 'encouraged' to
have a difficult to bruteforce password from the very first, you have
better security even when the attacker exfiltrates /etc/shadow or other
password hash table (I say 'when' and not 'if' here). And the
bar for
what qualifies as a secure password (from the point of view that the
attacker has your hashed password in hand and is bruteforcing on their
equipment) is continually rising as compute power increases.