[clug] Stopping them at the door

[Nigel Cunningham]

Hi Paul.

On Mon, 2005-02-14 at 11:33, Paul Wayper wrote:
> Hi there!
> 
> As a good administrator, I read the nightly logs of attempted logins and 
> send a message to the abuse contacts for each IP that tries to do a 
> login scan of my machine.  All of the attacks I've seen so far are just 
> scans of common insecure logins, but what I'm worried about is coming in 
> in the morning to find the logs saying someone's bashed away with a 
> brute force password checker and found my password (they'll be trying to 
> find an ________ letter made-up word, and I imagine if they started a 
> minute after I left in the afternoon they'd still be bashing away on it 
> by the time I came back next morning.)
> 
> The question I have is: if someone's managed to get access to a non-root 
> account, how certain is it that they can get root access?  Is it just 
> going to be a matter of uploading a program or typing in a special 
> command, or is there something I can do to slow these types of attacks 
> down?  Is SELinux the answer?  Or is it just a matter of picking good 
> passwords for all the login accounts and hoping?
> 
> On a related note, how do I lengthen the amount of time the system 
> stores the security logs?

This isn't strictly a reply to your question, but you could look into
using delays after unsuccessful logins as a means of making a brute
force attack less feasible. If you're using PAM, I believe it's not too
hard to do.

By the way, in selecting passwords, you'll make the task even harder if
you don't just use letters (increase the namespace), and you shouldn't
say how long the password is on a mailing list like this - if a
malicious person is reading these posts, they'd know not to waste their
time trying other lengths.

Regards,

Nigel
-- 
Nigel Cunningham
Software Engineer, Canberra, Australia
http://www.cyclades.com

Ph: +61 (2) 6292 8028      Mob: +61 (417) 100 574