[volunteergrid2-l] my server has been hacked
Christoph Langguth
christoph at rosenkeller.org
Thu Mar 8 19:28:22 UTC 2012
Am 08.03.2012 01:14, schrieb Johannes Nix:
> Hello,
>
>> the password of my user has been a 10 chars long semi random password
>> created by 'apg'. it looked something like 'EljadWole5'. i had the
>> password for about a year which i think is too long.
>
> I think the time alone is not a high risk (maybe I'm wrong). However,
> if a password with a length of less than about 15 characters
> is used in another place and its hash is robbed after hacking the
> site, it would be quite easy to crack it quickly with today's method of
> choice (rainbow tables). I believe it's usually better to have a
> 18-character password on a piece of paper in the purse than a short one
> memorized in the head. Smartcards can help as well.
>
> Some people suggest to use a long enough combination of several natural
> words which is much less susceptible to that kind of attack.
>
I *seriously* suggest not to allow root logins using passwords at all.
root at bender:/tmp# grep -i root /etc/ssh/sshd_config
#PermitRootLogin yes
PermitRootLogin without-password
My personal setup is that root login is only allowed via certificates.
For "emergency" situations, I have a separate account with
not-so-easy-to-guess username and password, which in turn allows to "su -".
I see hundreds of illicit login attempts every day, but so far, my
servers haven't been compromised for 15 years now.
PS: I'm also using "denyhosts". You may want to check this. A similar
(and more versatile) software is "fail2ban". They don't replace proper
precautions, but they may help to mitigate attacks.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6161 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://tahoe-lafs.org/cgi-bin/mailman/private/volunteergrid2-l/attachments/20120308/56197697/attachment.bin>
More information about the volunteergrid2-l
mailing list