Proposal: default security options?

Gullible Jones · 2005-12-15 00:07:51

Okay, two little things here.

First: in /etc/default/passwd, CRYPT is set to "des" by default. Is there anything to lose by making "blowfish" the default setting?

Second: there ought to be a default limit on the number of processes, as in FreeBSD - maybe 100,000 or so? - in order to minimize the danger of forkbomb attacks.

Now I know what people are going to say... "Do it yourself." News: simple security stuff like that should be enabled by default. Yes, small things, but something like the process limit could make a huge difference, and I'm willing to bet that the difference between Blowfish and DES could be the difference between an attempted hack and one that screws your system sideways.

What do you guys say? Feel free to point out any problems with this proposal...

phrakture · 2005-12-15 00:26:23

umm, I'm pretty sure the default process limit is set somewhere... after the cheesy forkbomb slashdolt thread, everyone added some ulimit settings.

cactus · 2005-12-15 00:31:53

Gullible Jones wrote:

First: in /etc/default/passwd, CRYPT is set to "des" by default. Is there anything to lose by making "blowfish" the default setting?

No, except easier to crack passwords.

Second: there ought to be a default limit on the number of processes, as in FreeBSD - maybe 100,000 or so? - in order to minimize the danger of forkbomb attacks.

I agree... especially since it is one line in /etc/security/limits.conf or something like that (I cant remember the exact filename).

The only caveat is that sshd_config needs to have EnablePAM set.. which not everyone might want.. Since this would effect more than one thing..I think it would make more sense to have a "securing your box" guide that people can reference. Simple things to do that will ratchet up your security a bit more.. things that go above and beyond the simple configs...like the sshd thing. For local logins though..i think that pam is already the default..so it should work groovily there..

Gullible Jones · 2005-12-15 01:01:55

cactus wrote:

Gullible Jones wrote:
First: in /etc/default/passwd, CRYPT is set to "des" by default. Is there anything to lose by making "blowfish" the default setting?
No, except easier to crack passwords.

I wonder why it's not set to Blowfish by default, then...

Second: there ought to be a default limit on the number of processes, as in FreeBSD - maybe 100,000 or so? - in order to minimize the danger of forkbomb attacks.
I agree... especially since it is one line in /etc/security/limits.conf or something like that (I cant remember the exact filename).
The only caveat is that sshd_config needs to have EnablePAM set.. which not everyone might want.. Since this would effect more than one thing..I think it would make more sense to have a "securing your box" guide that people can reference. Simple things to do that will ratchet up your security a bit more.. things that go above and beyond the simple configs...like the sshd thing. For local logins though..i think that pam is already the default..so it should work groovily there..

Ahh... So SSH requires some mucking with to secure.

(Maybe PAM should be enabled by default? Or would that cause much vexation?)

Gullible Jones · 2005-12-19 20:05:35

Hey guys, newsflash: DES is not secure! :shock:

And MD5 isn't either, of course. That leaves Blowfish, which is quite secure, at least as of right now.

I'd say that default encryption should be switched to Blowfish... Also, is it possible to include an option for AES (Rijndael)?

cactus · 2005-12-19 20:17:59

des has been insecure for quite a while now..

Gullible Jones · 2005-12-19 20:50:21

Ah... /etc/default/passwd is owned by PAM. Could someone put this on the mailing list? Or perhaps it should be reported as a PAM bug, it is after all a security hole...

cactus · 2005-12-19 21:05:22

but /etc/passwd is the one the system actually uses.
the default is probably just copied across by the installer during initial system setup..
/me shrugs

I can't remember off the top of my head..
<ps. working sucks. >

Gullible Jones · 2005-12-19 21:28:28

The contents of /etc/passwd and /etc/default/passwd are completely different.

cactus · 2005-12-19 21:37:51

yes gullible. that was my point. only /etc/passwd is actually used.

I am not sure what purpose /etc/default/passwd actually serves at this point. Being that I am far from my box right now..i can't check.

Gullible Jones · 2005-12-19 21:41:03

Eh?

/etc/passwd:

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/false
daemon:x:2:2:daemon:/sbin:/bin/false
mail:x:8:12:mail:/var/spool/mail:/bin/false
ftp:x:14:11:ftp:/home/ftp:/bin/false
nobody:x:99:99:nobody:/:/bin/false
proteus:x:1000:100::/home/proteus:/bin/bash
dbus:x:81:81:System message bus:/:/bin/false
hal:x:82:82:HAL daemon:/:/bin/false
avahi:x:84:84:Avahi daemon:/:/bin/false

/etc/default/passwd:

# This file contains some information for
# the passwd (1) command and other tools
# creating or modifying passwords.

# Define default crypt hash
# CRYPT={des,md5,blowfish}
CRYPT=blowfish

# Use another crypt hash for group passwowrds.
# This is used by gpasswd, fallback is the CRYPT entry.
# GROUP_CRYPT=des


# We can override the default for a special service
# by appending the service name (FILES, YP, NISPLUS, LDAP)

# for local files, use a more secure hash. We
# don't need to be portable here:
CRYPT_FILES=blowfish
# sometimes we need to specify special options for
# a hash (variable is prepended by the name of the
# crypt hash).
BLOWFISH_CRYPT_FILES=5

# For NIS, we should always use DES:
CRYPT_YP=des

Dusty · 2005-12-19 21:52:32

Here's a challenge, in ten seconds, can you state the obvious!?

Dusty

apeiro · 2005-12-19 22:01:26

Are you sure it's not already using Blowfish for local files? This block seems to hint at that.

# for local files, use a more secure hash. We
# don't need to be portable here:
CRYPT_FILES=blowfish

cactus · 2005-12-19 22:14:40

I bang my head against my desk two times in reponse to dusty's question.

Gullible Jones · 2005-12-19 23:05:57

You could be right apeiro, but the whole /etc/shadow file is not encrypted. :?

(Ehh... Dusty and cactus... I'm guessing I was wrong?)

Dusty · 2005-12-19 23:16:59

hm, I wonder what the permissions are on /etc/shadow.... well, rather than guessing if you're wrong you could look it up.... or even better, feel free to assume it is thus.

cactus · 2005-12-19 23:22:46

not encrypted?
the password portion of it should be the only part that is encrypted...

man....I wish I had access to my arch box right now.....

T-Dawg · 2005-12-19 23:53:03

cactus wrote:

not encrypted?
the password portion of it should be the only part that is encrypted...
man....I wish I had access to my arch box right now.....

It is.

iphitus · 2005-12-20 14:23:21

Passwords are secure enough as they are. If someone is so desperate to access your account that they have a supercomputer and access to login to your machine -- you'd probly have better security anyway. There's more danger in social manipulation, and someone weasling your password out of you. Like so:

MD5 Sum of my password:
18297f47c43a4a3e8ab71910fde99bab

You have a week to break it or even find something that collides with it. Have fun.

My point is really, /etc/shadow is only readable by root, so to read it, someone would have to have gained root access on your computer. You're already compromised and the passwords are useless. If someone were to break to root, and get the hashes of the passwords, it'd take them months to get the correct password, and why would they want that? they already have access on your system.

Dusty · 2005-12-20 17:25:26

iphitus wrote:

My point is really, /etc/shadow is only readable by root,

That was my point too... but perhaps I wasn't subtle enough.

Good to see you again iphitus iphitus!! :-)

Dusty

cactus · 2005-12-20 17:49:19

Actually, if you have a mandatory access control system in place, then someone gaining access to the /etc/passwd file does more than you think.
In such a system, root does not have all the rights. root can be made not able to read user files/directories/etc. root might not even be the policy setter for the system.

Secure passwords are important.

Dusty · 2005-12-21 01:32:13

cactus wrote:

Actually, if you have a mandatory access control system in place, then someone gaining access to the /etc/passwd file does more than you think.
In such a system, root does not have all the rights. root can be made not able to read user files/directories/etc. root might not even be the policy setter for the system.

Is it not the case that root has the authority to change who is the policy setter? If not, its more worthwhile to hack the policy setter account.

Dusty

cactus · 2005-12-21 01:36:34

The policy setter can only set policy. Discretionary sits atop mandatory. So while the policy setter could set policy, they might not be able to create accounts, grant external access, or read files.
it is a completely different security paradigm. But for the most part, this thread is correct. I was just being slightly contrarian by pointing out that what is 'the common', is not 'the always'.

Nothing to see here.. move along..

Dusty · 2005-12-21 01:58:52

These aren't the droids you are looking for...

Arch Linux

#1 2005-12-15 00:07:51

Proposal: default security options?

#2 2005-12-15 00:26:23

Re: Proposal: default security options?

#3 2005-12-15 00:31:53

Re: Proposal: default security options?

#4 2005-12-15 01:01:55

Re: Proposal: default security options?

#5 2005-12-19 20:05:35

Re: Proposal: default security options?

#6 2005-12-19 20:17:59

Re: Proposal: default security options?

#7 2005-12-19 20:50:21

Re: Proposal: default security options?

#8 2005-12-19 21:05:22

Re: Proposal: default security options?

#9 2005-12-19 21:28:28

Re: Proposal: default security options?

#10 2005-12-19 21:37:51

Re: Proposal: default security options?

#11 2005-12-19 21:41:03

Re: Proposal: default security options?

#12 2005-12-19 21:52:32

Re: Proposal: default security options?

#13 2005-12-19 22:01:26

Re: Proposal: default security options?

#14 2005-12-19 22:14:40

Re: Proposal: default security options?

#15 2005-12-19 23:05:57

Re: Proposal: default security options?

#16 2005-12-19 23:16:59

Re: Proposal: default security options?

#17 2005-12-19 23:22:46

Re: Proposal: default security options?

#18 2005-12-19 23:53:03

Re: Proposal: default security options?

#19 2005-12-20 14:23:21

Re: Proposal: default security options?

#20 2005-12-20 17:25:26

Re: Proposal: default security options?

#21 2005-12-20 17:49:19

Re: Proposal: default security options?

#22 2005-12-21 01:32:13

Re: Proposal: default security options?

#23 2005-12-21 01:36:34

Re: Proposal: default security options?

#24 2005-12-21 01:58:52

Re: Proposal: default security options?

Board footer