break-in attempt in my machine

Joel Rees joel.rees at gmail.com
Sat Sep 3 00:51:30 UTC 2016


This is why I recommend understanding and not just the math.

On Fri, Sep 2, 2016 at 11:57 PM, Volker Wysk <post at volker-wysk.de> wrote:
> Am Sonntag, 28. August 2016, 11:39:07 CEST schrieb Karl Auer:
>> By the way, anyone that has ssh access open to the world MUST take
>> extra precautions. At an absolute minimum, any account that can log in
>> via ssh MUST have a VERY GOOD PASSWORD - twenty or thirty random
>> characters including numbers, punctuation and both cases. Otherwise you
>> WILL get hacked.
>
> I have a 9-letter fantasy word as password. Something like "schwurbelfu". Just
> lower case letters. So this is insecure? I doubt it could be cracked by
> trying.

Do the math.

If the attacker knows it's all lower case (Maybe said attacker is
reading this list?) 26^9 is a lot quicker to goal than 52^9 or 62^9 or
(95+/-7)^9.

At one try a second, sure 172 millennia is a long time, but if the
attacker somehow gets a copy of your /etc/shadow, it's a completely
different game. Not random any more.

If you don't have a calculator that can handle the math, my recommendation:

    man bc

Although, of course many more complete programming languages in
interactive mode work as well. (Ruby, Python, perl, gforth with MP
libraries, ...)

Be sure you use various assumptions in the math, such as whether the
attacker decides to analyze the various crypts of passwords to reduce
the randomness, o to try easy permutation guesses from a dictionary of
whichever Deutsch-ish language was the choice of the person making up
said fantasy word, and, ...

Oh, by the way, was that word ever used in a novel?

If you made up the word, do you plan to never use it in some writing
that you make publicly available? If you didn't, are you sure the
person who made it up will never attack your stuff?

Are you sure no one will decide to take a few hours to analyze your
blogs and extract a few likely looking words (maybe a thousand with
perl script) to try permutations on?

Much better to use that word in combination with a completely
unrelated word in another language, maybe with some l33+$p3@< and an
arbitrary number and some punctuation, for example,

    XleR8-schwurbelfu,42

Yes, include the hyphen and the comma. Maybe put them someone
unnatural, just for kicks.

Once you've used it two or three times, I'm pretty sure you won't forget it.

>> But it would be a much better idea to read the above
>> blog entry and implement the first few ideas at least.
>
> I've implemented no 2, 3, 5 and 10 now... I won't disable root logins, because
> I want root sftp access.

Why?

Are you allergic to sudo or even su?

One advantage to disabling root is that there will be no crypt to
attack for root.

And then you name your admin account user something like, "patsmith",
and the attacker has to attack all the user ids in the shadow password
file.

Karl's list is good to start with. But dig into the reasons why for
each suggestion.

-- 
Joel Rees

I'm imagining I'm a novelist:
http://joel-rees-economics.blogspot.com/2016/06/econ101-novel-toc.html




More information about the ubuntu-users mailing list