Re: Security question concerning jail or virtualization
On Fri, Mar 14, 2014 at 4:30 AM, Scott Ferguson
<scott.ferguson.debian.user@gmail.com> wrote:
> On 14/03/14 15:51, shawn wilson wrote:
>>
>> On Mar 14, 2014 12:13 AM, "Brad Alexander" <storm16@gmail.com
>> <mailto:storm16@gmail.com>> wrote:
>>>
>>
>>>>>
>>>>> Due to this experience I would like to know what the best way to
>> limit such problems is, especially when hosting web servers for users
>> who may or may not installed unsecure applications on the web server.
>>>
>
> None of those methods are dependent on password access.
The initial attack isn't. Post exploit is. Again, I'd think there are
legal issues with auditing your clients' software making all of this
moot (besides my recommendation for a layer 7 firewall).
> Password security for the server (as distinct from user web
> applications) *should* be part of any webserver security. Debian
> provides dnsiff and john the ripper which are used in industry best
> practice password auditing.
> By default Debian implements md5 and shadow which are the 'basis' of
> best practice password security (auditing are other practices add to
> those things).
>
For most use cases, see hashcat - not jtr. Also default hash on debian
is ssha per the $6$ in shadow - not md5. See:
http://en.wikipedia.org/wiki/Crypt_%28C%29
It should also be noted - don't use md5 - ever. If you're dealing with
web apps, use bcrypt or scrypt.
Reply to: