Interesting idea for slowing down password crackers...

pogeymanz · 2010-04-27 21:40:56

I had a thought the other day that went something like this:
Ubuntu disables root's account so that nobody can pass-crack it.
That's a decent idea unless I want to do a bunch of admin stuff as I turned the sudo timeout to zero.
But a cracker only has to guess your password because he/she already knows that the admin account is named root. At least on a Windows machine, if you aren't logged in as the Admin, they have to guess the Admin's account name as well.

But I have come up with a solution! What if we disable the root account, like Ubuntu, but set up another user that has the no password option set in the sudoers file? You could use that account for admin stuff instead of root.

Of course, you'd have to type 'sudo' before everything, which would be annoying...

Spacenick · 2010-04-27 21:52:29

You know that with "sudo su" you'll get a root shell right?

Daenyth · 2010-04-27 21:57:49

Or you could make it so that your user is only allowed to run sudo from the local machine...

broch · 2010-04-27 22:28:55

you don't need to create extra account to protect root. It looks like you would assume that someone who can get one password will not try to get another. This is so popular in windows world that I doubt someone with ability to catch passwords will get "confused".

Set root password, set up group that has access to root account without root password. This way you will never pass root password, root is password protected so nobody except privileged group has access to root account, if member of privileged group goes rouge, remove him from privileged group (group does need to know root password). Members of privileged group can't change root password because they don't know the password that is currently set up.
This is a simple way of controlling privileged account/password and still having last word.

Simply modify pam (there already settings for this, you need to activate them simply).

thestinger · 2010-04-27 23:26:42

pogeymanz wrote:

Of course, you'd have to type 'sudo' before everything, which would be annoying...

sudo -i

ammon · 2010-04-28 00:09:24

pam-usb is nice too.
http://aur.archlinux.org/packages.php?ID=2797

and you use it like a key.

Anikom15 · 2010-04-28 00:37:49

Disabling root is the stupidest thing I have ever heard.

Unless you're running a website nobody really cares about hacking you, they'd much rather get a million on Windows than a few on Linux.

.:B:. · 2010-04-28 00:53:56

Now that's funny... Tell that to the people who's been hacked without running a website. I'm sure they'll agree with your cunning analysis.

Pogeymanz: I'm not sure how useful 'disabling' the root account is. There's always something running with root powers and once you can get that hacked.

Even denying root access e.g. over SSH will not help a lot. As soon as someone gets in, it's just a matter of time before he gains root powers.

JohnVV · 2010-04-28 02:59:35

Now that's funny... Tell that to the people who's been hacked without running a website. I'm sure they'll agree with your cunning analysis.

how true

completely disabling it is not the best idea BUT nether is auto root login
there have been a bunch of people asking for that.

Anikom15 · 2010-04-28 03:00:43

OK so I'm not definite. You win.

davidm · 2010-04-28 03:30:10

I'm pretty sure you're free to set something like this up on your own if you wish? I don't think most people like hacks like this by default because if we want to do that we'll go ahead and do that ourselves. Having to mess with reversing it would likely be a bit of a PITA unfortunately since having a root account is pretty standard behavior. Also there are all sorts of other utilities you can use to help stop crackers. For example, denyhosts.

pseudonomous · 2010-04-28 04:02:46

.:B:. wrote:

Even denying root access e.g. over SSH will not help a lot. As soon as someone gets in, it's just a matter of time before he gains root powers.

The point of disabling root access via ssh isn't so much (IMO) about decreasing the security impact of an attacker getting ssh access to your scene, so much as it is to make brute force attacks more difficult; w/ root account login disabled you have to guess a valid username and either a password or key. So it's definitely a good idea to disable root logins via ssh, or at the very least limit them to key-based authentication.

I don't think there's any security benefit to completely disabling the root account ... because you absolutely need some account with elevated privileges and if that account gets compromised, it's just as bad as if someone got root.

Cyrusm · 2010-04-28 15:43:40

the best protection is abstinence but at least never interface without protection.

I feel that the best way to go about protecting your pc is through basic standard security precautions such as port forwarding, regularly monitoring log files,
and secure passwords that are regularly changed. You can even find a couple of utilities that generate passwords for you (really nice ones like !GBFO2fh23~!sdf9**(1`)
the more of a mix you have in a password, the more difficult it will be to crack. most of the more common hashes out there I've seen will crack an alpha-numeric password in a heart beat,
but even throwing a couple symbols in there will stymie them.

DeletedUser201201 · 2010-04-28 18:43:01

^ Or you could have a life and not think that the whole world is going to attack YOUR computer... Even if that happens you would have much more waisted time on "checking" logs rather than fixing the damn thing.

People this days.

Ranguvar · 2010-04-28 21:14:25

Gbak wrote:

^ Or you could have a life and not think that the whole world is going to attack YOUR computer... Even if that happens you would have much more waisted time on "checking" logs rather than fixing the damn thing.
People this days.

Or you could not exaggerate.

It doesn't take the whole world, just one person with a working brain, and last I heard, stuff like social security numbers was worth quite a fair bit.
Ten minutes a day to securing your computer and online activities does not seem unreasonable.

Anikom15 · 2010-04-28 22:09:20

Don't keep your social security number on your computer. Why would you even have it on there?

Ranguvar · 2010-04-29 00:55:28

Anikom15 wrote:

Don't keep your social security number on your computer. Why would you even have it on there?

Lots of places some don't usually think of, like browser cache, etc. (though this shouldn't happen, it does), and other local documents.

That was just one example, though.
Go on a case-by-case basis. I'm pretty sure that if my computer were taken and searched by someone else, they'd have quite a bit of blackmail on me, including perhaps some legal trouble.
If it's grandma's web machine, perhaps not so much (but then again, those less computer-inclined tend to make mistakes like the social security stuff more often).

jowilkin · 2010-04-29 02:08:32

It's really simple to stop someone from brute forcing your root account or any other account. Use a module like fail2ban, pam_abl, etc that ban a username and/or ip address after a certain number of failed login attempts (say 5).

Then there is no need for insane passwords like !GBFO2fh23~!sdf9**(1` that no one can remember, no need to change passwords frequently (what a pain in the butt, who can remember their password when they're constantly changing it?).

No one is guessing even a fairly simple password in 5 attempts, especially if you don't use a dictionary word.

Wintervenom · 2010-04-29 02:34:06

Now that's funny... Tell that to the people who's been hacked without running a website. I'm sure they'll agree with your cunning analysis.

[sing-song:] Oh, Phrakture...?

Last edited by Wintervenom (2010-04-29 02:39:33)

Profjim · 2010-04-29 02:45:52

What!? Phrak was hacked?! ohmigod

Cyrusm · 2010-04-29 16:02:34

jowilkin wrote:

It's really simple to stop someone from brute forcing your root account or any other account. Use a module like fail2ban, pam_abl, etc that ban a username and/or ip address after a certain number of failed login attempts (say 5).
Then there is no need for insane passwords like !GBFO2fh23~!sdf9**(1` that no one can remember, no need to change passwords frequently (what a pain in the butt, who can remember their password when they're constantly changing it?).
No one is guessing even a fairly simple password in 5 attempts, especially if you don't use a dictionary word.

excellent point! I forgot to mention that. however, I still stand by my secure password philosophy, but I guess to each their own

AngryKoala · 2010-04-29 22:52:44

I'm a user that nobody would have much interest in attacking...no important information and my bank account is hideous. However, when I first installed ssh, I saw upload spikes...someone from shanghai was bruteforcing my account. Using a different port and a dsa 1024 bit key fixed that.

Kiwi · 2010-04-30 04:57:34

f0110\/\/ t|-|3 y3110\/\/ br!ck r04d

jowilkin · 2010-05-03 04:32:47

AngryKoala wrote:

I'm a user that nobody would have much interest in attacking...no important information and my bank account is hideous. However, when I first installed ssh, I saw upload spikes...someone from shanghai was bruteforcing my account. Using a different port and a dsa 1024 bit key fixed that.

People certainly will and DO try to brute force their way into machines. I started logging and monitoring heavily failed logins on a cluster i admin out of curiousity and saw up to thousands of attempts per day from all over the world. Coincidentally a large majority trace back to a certain ISP in southeast Asia that must be pretty loose with their own monitoring.

But I don't worry since the root password is like 18 characters, usernames are not dictionary words or just common names, and passwords are not allowed to be so simple they can be cracked in 5 attempts (the point at which my pam_abl blocks potential intruders).

I guess my whole point is, there are tons of people that will try to brute force attack systems and you do need a plan. However there are some fairly simple plans that don't require huge unrememberable passwords that are changed every couple months.

Arch Linux

#1 2010-04-27 21:40:56

Interesting idea for slowing down password crackers...

#2 2010-04-27 21:52:29

Re: Interesting idea for slowing down password crackers...

#3 2010-04-27 21:57:49

Re: Interesting idea for slowing down password crackers...

#4 2010-04-27 22:28:55

Re: Interesting idea for slowing down password crackers...

#5 2010-04-27 23:26:42

Re: Interesting idea for slowing down password crackers...

#6 2010-04-28 00:09:24

Re: Interesting idea for slowing down password crackers...

#7 2010-04-28 00:37:49

Re: Interesting idea for slowing down password crackers...

#8 2010-04-28 00:53:56

Re: Interesting idea for slowing down password crackers...

#9 2010-04-28 02:59:35

Re: Interesting idea for slowing down password crackers...

#10 2010-04-28 03:00:43

Re: Interesting idea for slowing down password crackers...

#11 2010-04-28 03:30:10

Re: Interesting idea for slowing down password crackers...

#12 2010-04-28 04:02:46

Re: Interesting idea for slowing down password crackers...

#13 2010-04-28 15:43:40

Re: Interesting idea for slowing down password crackers...

#14 2010-04-28 18:43:01

Re: Interesting idea for slowing down password crackers...

#15 2010-04-28 21:14:25

Re: Interesting idea for slowing down password crackers...

#16 2010-04-28 22:09:20

Re: Interesting idea for slowing down password crackers...

#17 2010-04-29 00:55:28

Re: Interesting idea for slowing down password crackers...

#18 2010-04-29 02:08:32

Re: Interesting idea for slowing down password crackers...

#19 2010-04-29 02:34:06

Re: Interesting idea for slowing down password crackers...

#20 2010-04-29 02:45:52

Re: Interesting idea for slowing down password crackers...

#21 2010-04-29 16:02:34

Re: Interesting idea for slowing down password crackers...

#22 2010-04-29 22:52:44

Re: Interesting idea for slowing down password crackers...

#23 2010-04-30 04:57:34

Re: Interesting idea for slowing down password crackers...

#24 2010-05-03 04:32:47

Re: Interesting idea for slowing down password crackers...

Board footer