[Asterisk-Users] asterisk@home scary log

Rich Adamson radamson at routers.com
Thu Feb 10 13:24:51 MST 2005


> > > I had the system setup to allow http and ssh.
> > >
> > > The hack came in through ssh.
> > 
> > For those that aren't heavily involved with security topics, there
> > has been many different approachs from many different IP's attempting
> > to:
> >  a) exploit known ssh holes, and,
> >  b) ssh password guessing
> > 
> > We tend to watch these attempts rather closely through intrusion detection
> > tools like snort. As consultants, we are also under retainers to
> > assist other companies with securing their facilities and watching
> > for exploits. The exploit attempts happen every single day.
> > 
> > There are multiple password guessing tools commonly available on
> > the Internet. I eval'ed one of the tools and it took five seconds
> > to guess a password that was five characters in length. It took an
> > hour to guess a password that was eight characters, and around
> > twenty-four hours to guess a password that was eight characters made
> > up of uppercase, lowercase and non-alpha characters (eg, complex).
> > Regardless, the guessing process is simply how much time does one
> > want to devote to doing it (eg, what's the return value for spending
> > the time exploiting a system).
> > 
> > It doesn't make much difference whether one exposes telnet or ssh.
> > Both can be exploited. But, the more complex you make the password,
> > the more time-consuming and difficult it is to guess it.
> > 
> > So, if you must expose either telnet or ssh, make your passwords very
> > long and complex. If your O/S has the capability to lockout the account
> > after 'xx' failed passwords, then do that. Automatically resetting the
> > process after 'y' minutes disrupts the guessing process without the
> > hacker knowing it, but still allows you access after that auto reset.
> > Using something like seven failed attempts with a five minute reset
> > is more then adequate in most cases.
> > 
> 
> I know that there are opinions in opposed to it, but what about port
> knocking in addition to everything we've discusses.  Scanners would
> simply move along after seeing no open ports.  I realize this is a
> form of security through obscurity, but it seems in some instances it
> would be a good *addition* to *other* security measures (never to be
> used as the sole security measure).

I could certainly agree with that.






More information about the asterisk-users mailing list