[Asterisk-Users] asterisk@home scary log

Tzafrir Cohen tzafrir at cohens.org.il
Fri Feb 11 03:22:06 MST 2005 

On Thu, Feb 10, 2005 at 10:51:33AM -0600, Rich Adamson wrote:
> There are multiple password guessing tools commonly available on
> the Internet. I eval'ed one of the tools and it took five seconds
> to guess a password that was five characters in length. It took an
> hour to guess a password that was eight characters, and around
> twenty-four hours to guess a password that was eight characters made
> up of uppercase, lowercase and non-alpha characters (eg, complex). 
> Regardless, the guessing process is simply how much time does one 
> want to devote to doing it (eg, what's the return value for spending
> the time exploiting a system).

Sorry, not in my tests. I used John the Ripper (http://openwall.com/john/ 
), which is a tool for cracking passwords from password files using 
dictionaries and brute force.

The password files had passwords in varrying quality, and cracking time 
was indeed affected. all-numbers password were guessed almost
immidietly. [*] Well-composed passwords of 8 characters were not 
cracked by brute-force in resonable time.

[*] passwords that should be dialed from phones are relatively short and
all-numbers. Are they never exposed to the internet?

> 
> It doesn't make much difference whether one exposes telnet or ssh.
> Both can be exploited. But, the more complex you make the password,
> the more time-consuming and difficult it is to guess it.
> 
> So, if you must expose either telnet or ssh, make your passwords very
> long and complex. If your O/S has the capability to lockout the account
> after 'xx' failed passwords, then do that. 

And allow crackers to lock you out. A silly and effective DoS attack.

> Automatically resetting the
> process after 'y' minutes disrupts the guessing process without the
> hacker knowing it, but still allows you access after that auto reset.
> Using something like seven failed attempts with a five minute reset
> is more then adequate in most cases.

-- 
Tzafrir Cohen         | New signature for new address and  |  VIM is
http://tzafrir.org.il | new homepage                       | a Mutt's  
tzafrir at cohens.org.il |                                    |  best
ICQ# 16849755         | Space reserved for other protocols | friend

More information about the asterisk-users mailing list