[Asterisk-Users] asterisk@home scary log

Rich Adamson radamson at routers.com
Thu Feb 10 09:51:33 MST 2005


> I had the system setup to allow http and ssh.
> 
> The hack came in through ssh.

For those that aren't heavily involved with security topics, there
has been many different approachs from many different IP's attempting
to:
 a) exploit known ssh holes, and,
 b) ssh password guessing

We tend to watch these attempts rather closely through intrusion detection
tools like snort. As consultants, we are also under retainers to 
assist other companies with securing their facilities and watching
for exploits. The exploit attempts happen every single day.

There are multiple password guessing tools commonly available on
the Internet. I eval'ed one of the tools and it took five seconds
to guess a password that was five characters in length. It took an
hour to guess a password that was eight characters, and around
twenty-four hours to guess a password that was eight characters made
up of uppercase, lowercase and non-alpha characters (eg, complex). 
Regardless, the guessing process is simply how much time does one 
want to devote to doing it (eg, what's the return value for spending
the time exploiting a system).

It doesn't make much difference whether one exposes telnet or ssh.
Both can be exploited. But, the more complex you make the password,
the more time-consuming and difficult it is to guess it.

So, if you must expose either telnet or ssh, make your passwords very
long and complex. If your O/S has the capability to lockout the account
after 'xx' failed passwords, then do that. Automatically resetting the
process after 'y' minutes disrupts the guessing process without the
hacker knowing it, but still allows you access after that auto reset.
Using something like seven failed attempts with a five minute reset
is more then adequate in most cases.





More information about the asterisk-users mailing list