[unisog] Password policies

Russell Fulton r.fulton at auckland.ac.nz
Mon Apr 24 22:35:12 GMT 2006


> <<JD>> Agreed, but why do new enumeration toolz and methodologies
> continue to be posted/created if they do not work?

yes they do work -- I'm sorry to have to admit that we have lost about 
half a dozen UNIX system over the past year to these attacks.  In all 
cases rudimentary checking of password strength would have detected the 
problems long before hackers got to them.  I am now seriously 
considering requiring all systems exposing ssh or rdp to undergo 
mandatory password checks using John the Ripper. At the moment I am 
trying to figure out the logistics of doing this.  Since we have a 
firewall I know exactly which systems are exposed but I need to figure 
out how to check the password files in a way that does not open up any 
(possibly worse) holes.  Suggestions welcome.

I notice that John has PAM modules to check strength of passwords when 
they are changed -- this is the best approach!

While examining logs is a must, these attacks are now so frequent that 
it is easy to miss a successful login amongst all the failures.  I.e. 
you need to ignore the failures and concentrate on verifying that all 
successful logins are legit.

We have long recommended that admins use hosts.allow files to explicitly 
control where machines can be accessed from, this combined with strong 
passwords (which have been mandatory for many years) should defeat these 
attacks as well as keep most of the garbage out of /var/log/secure.

We are also setting up an ssh server that will be accessible from 
anywhere on the Internet. This system will require two factor 
authentication and we will encourage those who need access from 
unpredictable addresses to use this system as a gateway to access other 
systems on campus.  This will serve travelling academics and  SAs who 
need access from sites off campus.

Cheers, Russell


More information about the unisog mailing list