[Asterisk-Users] asterisk@home scary log
Tzafrir Cohen
tzafrir at cohens.org.il
Fri Feb 11 15:44:37 MST 2005
On Fri, Feb 11, 2005 at 01:26:25PM -0600, Rich Adamson wrote:
> > The password files had passwords in varrying quality, and cracking time
> > was indeed affected. all-numbers password were guessed almost
> > immidietly. [*] Well-composed passwords of 8 characters were not
> > cracked by brute-force in resonable time.
>
> I never use products that rely on pre-staged password files;
I refer to real-life password files from real servers.
>
> Moving ssh or telnet to another tcp/udp port is nothing more then security
> by obsurity. For anyone in the security business, that step only adds
> about ten minutes to the process of discovering which services are
> actually exposed (on any of 65,000 ports) and then beating on those
> services to exploit them. Very easy task (and since those tasks are
> automated, who cares about the extra ten minutes).
The reasoning here is that it is still much easier to look for other
targets. Security by obscurity is not wrong on its own. It is wrong if
it is the only defence.
>
> The bottom line for those asterisk readers that have actually read this
> far is to use complex & lenthy passwords where possible, and some sort of
> alerting mechansim when xx number of passwords are guessed incorrectly
> (such as an account lockout mechanism with alerts as just one of many
> available choices).
I tend to disagree with you regarding the exact length.
An alerting mechanism is there, in the logs. Most linux distros have
some nice log watchers. However it still requires that someone actually
monitors them, as boring as it is.
--
Tzafrir Cohen | New signature for new address and | VIM is
http://tzafrir.org.il | new homepage | a Mutt's
tzafrir at cohens.org.il | | best
ICQ# 16849755 | Space reserved for other protocols | friend
More information about the asterisk-users
mailing list