[gentoo-user] Enter ROOT pasword THREE TIMES ONLY
Joseph
of time (let say three times ONLY); and if the password is not correct
the user would need to shut down the system and restart it manually for
security reason.
There is an interesting article on CNet "Linux lasting longer against
Net attacks"
http://news.com.com/Linux+lasting+longer+against+Net
+attacks/2100-7349_3-5501278.html?tag=nefd.top
and based on the article most of the successful comprise were based on
dictionary based attack on poor quality root password.
So, I was thinking that if would be possible to limit the number of
times the root password can be entered in single session (it would
eliminate dictionary style attack) if the user was forced to shut down
the system manually and restart it to retry it. Of course it could be
optional and configurable what action should be taken if the password is
incorrect.
--
#Joseph
--
gento...@gentoo.org mailing list
Francesco Talamona
> Is it possible to configure Linux to accept root password limited
> number of time (let say three times ONLY); and if the password is not
> correct the user would need to shut down the system and restart it
> manually for security reason.
Are you sure it is what you want? Do you want your machine being forced
to shutdown for every failed login? IMHO you are issuing a DoS against
yourself...
Ciao
Francesco
--
Linux Version 2.6.10-rc3, Compiled #2 Sat Dec 18 18:16:29 CET 2004
One 1.53GHz AMD Athlon XP Processor, 1.5GB RAM, 3022.84 Bogomips Total
macula
--
gento...@gentoo.org mailing list
vg`Braindead_One
This will open a very nice dos-opportunity. If you got a static ip an
attacker would be able to enter 3 wrong passwords vis ssh before you
even get a login-prompt ;)
--
gento...@gentoo.org mailing list
Matthew Cline
> >times the root password can be entered in single session (it would
> >eliminate dictionary style attack) if the user was forced to shut down
> >the system manually and restart it to retry it. Of course it could be
> >optional and configurable what action should be taken if the password is
> >incorrect.
Wouldn't it just be better to not allow remote root logins via ssh?
Matt
--
gento...@gentoo.org mailing list
David Rea
> Is it possible to configure Linux to accept root password limited
> number
> of time (let say three times ONLY); and if the password is not
> correct
> the user would need to shut down the system and restart it manually
> for
> security reason.
I believe there is a way in the sshd configuration to restrict root
logins to console only. This way in order to work as root from an
untrusted network, you would have to first log in as a non-priveliged
user, then use the `su` command to gain root privs.
This wouldn't completely eliminate the possibility of an attacker on an
untrusted network gaining root access, but it would slow them down
significantly since they'd have two different passwords to break. This
would a) buy you time and b) give a tool like tripwire more
opportunities to discover the attack.
Dave
--
gento...@gentoo.org mailing list
David Morgan
>
> I believe there is a way in the sshd configuration to restrict root
> logins to console only. This way in order to work as root from an
> untrusted network, you would have to first log in as a non-priveliged
> user, then use the `su` command to gain root privs.
>
> This wouldn't completely eliminate the possibility of an attacker on an
> untrusted network gaining root access, but it would slow them down
> significantly since they'd have two different passwords to break. This
> would a) buy you time and b) give a tool like tripwire more
> opportunities to discover the attack.
>
> Dave
>
You should be able to get su to mail you when someone enters the wrong
password (I've done this with either su or sudo, so you can definitely
do it with one of them, but I'd imagine you can do it with both). This
doesn't help you from stopping the attack if you aren't at your
computer, but it's still useful to know.
I don't know if this is possible, but depending on whether or not you
need root privs remotely you could set up a user account that's not in
the wheel group and have that be the only account that's allowed to
login via shh. Of course, nothing is more secure than just not having
sshd running when you don't need it (fex, if you only ever use it
between certain times you could set up cron jobs to start and stop it
at appropriate times). ssh should be fairly secure anyway though, it
just depends on how paranoid you are.
--
gento...@gentoo.org mailing list
Michael Sullivan
--
gento...@gentoo.org mailing list
Matthew Cline
>
I thought the concern was remote access, seeing as how the article he
linked to dealt with remote attacks against Linux machines.
If you have someone with local access to your computer trying to brute
force attack the root password, then that brings up issues of physical
security.
Ionut Nicu
There's the "PermitRootLogin" option in /etc/ssh/ssh_config that can
be set to "no".
The default value is "yes".
IMHO having PermitRootLogin set to no and a fairly good password
policy for the users of your server is a pretty good protection
against those sshd brute-force
attacks.
I think the idea of having to reboot your machine after 3 repeated
unsuccesful logins is just unacceptable.
--
gento...@gentoo.org mailing list
Brant Katkansky
> [snip] based on the article most of the successful comprise were based on
> dictionary based attack on poor quality root password.
I've always beleived that simple problems frequently demand simple answers.
If the problem (successful compromise of system via brute force
dictionary attack) is a result of a poor quality root password, it
would seem that the solution is simple: choose a quality root
password. Limit root logins to the console while you're at it too.
--
gento...@gentoo.org mailing list