Re: off topic: password strategy as an ISP

To: John Foster <johnf@mars.nettrek.net.au>
Cc: Debian Users <debian-user@lists.debian.org>
Subject: Re: off topic: password strategy as an ISP
From: Pavel Galynin <pgalynin@chipnet.cz>
Date: Thu, 03 Jul 1997 01:46:07 +0200
Message-id: <[🔎] 33BAE83F.B67B5392@chipnet.cz>
References: <[🔎] Pine.LNX.3.95q.970704065832.10530C-100000@mars.nettrek.net.au>

hello,

John Foster wrote:
> 
> We use the following strategy:
> 
> 1) Generate a list of passwords with pwgen

could you describe this utility?

> 2) On a SP2 supercomputer, try to crack them (after feeding them
> through crypt).

do you use a wordlist and if so, how big?

> 3) Those who can't be cracked go into a safe, to be allocated when
> users sign up.

then, you depend upon a wordlist. if you tested passwords on a small
one, crackers may get lucky on one of those 11 mb ones on the coast
security archives. as far as i know, all passwords can be cracked using
brute force. (at least i had a 100% success)

> The company I work for was very badly hacked (rm -fR *), which is how
> I got my job (as a repairman!). They are now somewhat paranoid!

then they must have been really insecure. only very lame people would
ever do that.

> Just as a Debian is cool story:
> 
> When they lost all their servers they were running Slacware 2
> (shudders!). I refused to rebuild the system with Slackware so they
> said, "OK, use Redhat". I installed Redhat (2 I think) and managed to
> crack it within a week.

Redhat - the breakin paradise. last week, the whole #hack channel sat on
#linux, noted down the ip addies of people who installed it and rooted
them. ever saw an inetd.conf on a fresh install of redhat 4.2? just one
unpatched version of imapd is sufficient ;)

> So I put Debian 1.2.4 on (I'd been using Debian in a research
> environment for some time), and since then I've seen a few attempts in
> the logs, but as far as I know no-one has got in who shouldn't!

it doesn't mean they haven't ;))

> I'm not so naive as to believe that Debian is 100% secure (that's
> impossible I reckon), but it seems to cope OK for a smallish ISP. I
> find some interesting things in the logs, like 500 consecutive
> attempts to telnet from the one source, but as we've disabled shell
> access for dial-in clients it'll just give them motd if they do get in
> that way!

i'm not at all knowledgeable in linux, but chsh changes a default shell
of the user in /etc/passwd. (at least on sunOS)

> On the subject of pwgen though, there is a definate pattern to the
> passwords it generates. This does concern me a bit.

yep, that would certainly make it more susceptible to lame newbie
attacks.

paul

--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to:

Follow-Ups:
- Re: off topic: password strategy as an ISP
  - From: Nils Rennebarth <nils@nus.de>

References:
- Re: off topic: password strategy as an ISP
  - From: John Foster <johnf@mars.nettrek.net.au>

Prev by Date: Re: Anyone using Real Audio
Next by Date: Re: off topic: password strategy as an ISP
Previous by thread: Re: off topic: password strategy as an ISP
Next by thread: Re: off topic: password strategy as an ISP
Index(es):
- Date
- Thread