[unisog] Password policies
r.fulton at auckland.ac.nz
Mon Apr 24 22:35:12 GMT 2006
> <<JD>> Agreed, but why do new enumeration toolz and methodologies
> continue to be posted/created if they do not work?
yes they do work -- I'm sorry to have to admit that we have lost about
half a dozen UNIX system over the past year to these attacks. In all
cases rudimentary checking of password strength would have detected the
problems long before hackers got to them. I am now seriously
considering requiring all systems exposing ssh or rdp to undergo
mandatory password checks using John the Ripper. At the moment I am
trying to figure out the logistics of doing this. Since we have a
firewall I know exactly which systems are exposed but I need to figure
out how to check the password files in a way that does not open up any
(possibly worse) holes. Suggestions welcome.
I notice that John has PAM modules to check strength of passwords when
they are changed -- this is the best approach!
While examining logs is a must, these attacks are now so frequent that
it is easy to miss a successful login amongst all the failures. I.e.
you need to ignore the failures and concentrate on verifying that all
successful logins are legit.
We have long recommended that admins use hosts.allow files to explicitly
control where machines can be accessed from, this combined with strong
passwords (which have been mandatory for many years) should defeat these
attacks as well as keep most of the garbage out of /var/log/secure.
We are also setting up an ssh server that will be accessible from
anywhere on the Internet. This system will require two factor
authentication and we will encourage those who need access from
unpredictable addresses to use this system as a gateway to access other
systems on campus. This will serve travelling academics and SAs who
need access from sites off campus.
More information about the unisog