and make sure that your ssl/ssh is up to date as well.. Latest is openssl-0.9.7e / openssh-3.9.x
On Thu, 2005-02-10 at 08:51, Rich Adamson wrote: > > I had the system setup to allow http and ssh. > > > > The hack came in through ssh. > > For those that aren't heavily involved with security topics, there > has been many different approachs from many different IP's attempting > to: > a) exploit known ssh holes, and, > b) ssh password guessing > > We tend to watch these attempts rather closely through intrusion detection > tools like snort. As consultants, we are also under retainers to > assist other companies with securing their facilities and watching > for exploits. The exploit attempts happen every single day. > > There are multiple password guessing tools commonly available on > the Internet. I eval'ed one of the tools and it took five seconds > to guess a password that was five characters in length. It took an > hour to guess a password that was eight characters, and around > twenty-four hours to guess a password that was eight characters made > up of uppercase, lowercase and non-alpha characters (eg, complex). > Regardless, the guessing process is simply how much time does one > want to devote to doing it (eg, what's the return value for spending > the time exploiting a system). > > It doesn't make much difference whether one exposes telnet or ssh. > Both can be exploited. But, the more complex you make the password, > the more time-consuming and difficult it is to guess it. > > So, if you must expose either telnet or ssh, make your passwords very > long and complex. If your O/S has the capability to lockout the account > after 'xx' failed passwords, then do that. Automatically resetting the > process after 'y' minutes disrupts the guessing process without the > hacker knowing it, but still allows you access after that auto reset. > Using something like seven failed attempts with a five minute reset > is more then adequate in most cases. > > > _______________________________________________ > Asterisk-Users mailing list > [email protected] > http://lists.digium.com/mailman/listinfo/asterisk-users > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users -- Derek Whitten <[EMAIL PROTECTED]> kFuQ Productions
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Asterisk-Users mailing list [email protected] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
