[unisog] Password auditing

Steve Shipway s.shipway at auckland.ac.nz
Fri Jul 1 03:41:52 GMT 2005


>This time I have an idea for automated auditing of UNIX 
>password (it may be extended to windows, I don't know).   

The obvious drawback to all this (as you have pointed out!) is that a copy
of the password file resides on the audit server, and you need to set up an
account on the audited server with access to read the password file.

If the main idea is to prevent easy breakins through the use of default
accounts, why not have a database of known default account/passwords, and
then periodically try to log in (via telnet, ssh, mysql, SMB...) on known
hosts using these accounts?  This would catch instances of software being
installed with default passwords.  The benefit would be that you can start
testing new servers or devices immediately without having to set up the .ssh
keys and so on.  You could even test devices such as routers or switches,
where you cannot obtain a password file to test.

The drawback of this, though, would be that every server would get a fairly
large log of failed logins, and this may cause some over-enthusiastic
servers to lock accounts, depending on how often you run the scan.

Just my thoughts.

Steve




More information about the unisog mailing list