[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[Freedombox-discuss] Block brute force login attacks?



Petter Reinholdtsen <pere at hungry.com> wrote:
>
> Time to pick up this thread again, and set up some defence against the
> simple and stupid brute force attacks.  ...

Yes.

> These are the known options:

... [his list is quite reasonable, but snipped out here] ...

> These options are not exclusive, and we can pick combinations that make
> sense.  I believe it is best to handle this issue on the PAM level, and
> there we have two options.  Because libpam-shield is orphaned and have
> so huge block period, I conclude that libpam-abl is our best option.  We
> should also look at disabling password login from the Internet over ssh,
> and only allow it on the local network.

Sounds sensible, but I think there is another option. Back in 2011,
I started a thread with subject "crypto questions". The password
part of my post was:

"  Passwords are a standard security mechanism and very often
"  a weak link. You can avoid passwords altogether for many
"  server activities by using the public key stuff in SSH. Great
"  for some of us, but is it going to be usable by our target
"  market? If not, what would that take?

"  One thing to look at is ways to eliminate the default
"  password at setup:
"  http://www.turnkeylinux.org/blog/end-to-default-passwords

"  Another is Bcrypt, a password system that aims
"  to be more secure:

"  An overview/advocacy article:
"  http://codahale.com/how-to-safely-store-a-password/
"  The original technical paper:
"  http://www.usenix.org/events/usenix99/provos.html

"  Bcrypt is the default for NetBSD. It is available in the
"  Ubuntu repositories, so I presume also in Debian. I'd
"  say it should be the default for the box, and we could
"  ask the Debian folks to look at whether it might
"  become the default for Debian.

There is also a competition going on to find better
password-handling methods:
https://password-hashing.net/

Both the organizing committee and some of the
tea

It is not expected to give final results until mid-2015,
but is worth keeping in mind.



Reply to: