[unisog] Password policies

Peter Van Epp vanepp at sfu.ca
Mon Apr 24 23:11:20 GMT 2006


On Tue, Apr 25, 2006 at 10:35:12AM +1200, Russell Fulton wrote:
> 
> > <<JD>> Agreed, but why do new enumeration toolz and methodologies
> > continue to be posted/created if they do not work?
> 
> yes they do work -- I'm sorry to have to admit that we have lost about 
> half a dozen UNIX system over the past year to these attacks.  In all 
> cases rudimentary checking of password strength would have detected the 
> problems long before hackers got to them.  I am now seriously 
> considering requiring all systems exposing ssh or rdp to undergo 
> mandatory password checks using John the Ripper. At the moment I am 
> trying to figure out the logistics of doing this.  Since we have a 
> firewall I know exactly which systems are exposed but I need to figure 
> out how to check the password files in a way that does not open up any 
> (possibly worse) holes.  Suggestions welcome.
> 

	May not help with rdp, but one of our Linux folks found an iptables(?
one of the built in firewall packages anyway) rule set that detects multiple 
ssh probes and blocks the connection for 5 minutes or so after a few tries. 
When installed his logs ceased filling with failed login attempts (accounts 
are all cert authenticated so compromise wasn't an issue just logfile clutter).
The interesting part is that just after installation (after the first few 
probes) even probing stopped in the argus logs so his firewall rules aren't 
even being exercised anymore.
	We too have lost a handful of Mac OS X boxes (much to their owners 
suprise since OS X is invunarable :-)) to poorly chosen passwords on ssh
accounts. As always the network connection stopping working any more provides
a wakeup call :-). 

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada


More information about the unisog mailing list