CentOS - Feb 2015 - Another Fedora decision

On 02/03/2015 03:44 PM, Always Learning wrote:
> There should be a basic defence that when the password is wrong 'n'
> occasions the IP address is blocked automatically and permanently 
> unless it is specifically allowed in IP Tables. 
As has been mentioned, fail2ban does this.

However, the reason you want a password that is not easily bruteforced 
has nothing to do with this, and all bruteforce attempts cannot be 
blocked by this method.  Scenario:
1.) There's some sort of security vulnerability that allows an intruder 
to read an arbitrary file.  This type of vulnerability (whether it be in 
php, glibc, bash, apache httpd, or whatever) is not rare.
2.) Attacker uses said vulnerability to exfiltrate /etc/shadow.
3.) Attacker uses a large graphics card's GPU power, harnessed with CUDA 
or similar, to run millions of bruteforce attempts per second on the 
exfiltrated /etc/shadow, on their computer (not yours).
4.) After a few hours, attacker has your password (or at least a 
password that hashes to the same value as your password), after 
connecting to your system only once.

Now, there are the slow bruteforcers running out there, but those are 
not the droids this change is looking for.  By being 'encouraged' to 
have a difficult to bruteforce password from the very first, you have 
better security even when the attacker exfiltrates /etc/shadow or other 
password hash table (I say 'when' and not 'if' here).  And the
bar for
what qualifies as a secure password (from the point of view that the 
attacker has your hashed password in hand and is bruteforcing on their 
equipment) is continually rising as compute power increases.

On Wed, 2015-02-04 at 14:08 -0500, Lamar Owen wrote:
> However, the reason you want a password that is not easily bruteforced 
> has nothing to do with this, and all bruteforce attempts cannot be 
> blocked by this method.
Thanks for your well-explained concerns. You make good sense.

Just counted the characters in one of my root passwords. It uses
uppercase, lowercase, symbols, numbers and is a mere 25 characters long.
Another one is, I think, about 32 characters long.

Plain FTP is banned. SSH is shifted away to an obscure port and
permitted only for 3 predetermined IP addresses. Web hackers are
automatically banned after the first attempt. Similar defences are
employed against spammers and mail hackers.

I restrict directory and file access to special users with no-logon
ability. I upgrade immediately a replacement is announced. I read my
chosen selection of logs and self-created reporting programmes from
every server. 

IP Tables restricts in and out traffic as much as possible. DROP appears
everywhere.

I'm not paranoid about security but I do not intend to be a passive or a
willing victim of hacking etc.  I would jail hackers for a minimum of 6
months.


-- 
Regards,

Paul.
England, EU.      Je suis Charlie.