[unisog] Password policies

Steve Smith steve.smith at gcmail.maricopa.edu
Mon Apr 24 23:13:38 GMT 2006

Russell Fulton wrote:
>><<JD>> Agreed, but why do new enumeration toolz and methodologies
>>continue to be posted/created if they do not work?
> yes they do work -- I'm sorry to have to admit that we have lost about 
> half a dozen UNIX system over the past year to these attacks.  In all 
> cases rudimentary checking of password strength would have detected the 
> problems long before hackers got to them.  I am now seriously 
> considering requiring all systems exposing ssh or rdp to undergo 
> mandatory password checks using John the Ripper. At the moment I am 
> trying to figure out the logistics of doing this.  Since we have a 
> firewall I know exactly which systems are exposed but I need to figure 
> out how to check the password files in a way that does not open up any 
> (possibly worse) holes.  Suggestions welcome.

Running John the Ripper, two-factor auth, hosts.allow, etc. are (imo)
good ideas, but I'm also a huge fan of easy solutions that works well. I
like pam_abl:

> A PAM module that provides auto blacklisting of hosts and users responsible for repeated failed authentication attempts. Generally configured so that blacklisted users still see normal login prompts but are guaranteed to fail to authenticate.
> The pam_abl module monitors failed authentication attempts and automatically blacklists those hosts (and accounts) that are responsible for large numbers of failed attempts. Once a host is blacklisted it is guaranteed to fail authentication even if the correct credentials are provided.
> Blacklisting is triggered when the number of failed authentication attempts in a particular period of time exceeds a predefined limit. Hosts which stop attempting to authenticate will, after a period of time, be un-blacklisted.

see: http://www.hexten.net/pam_abl/



There is no Gecko, only Zuul.

More information about the unisog mailing list