LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-27-2003, 07:31 PM   #1
shanenin
Member
 
Registered: Aug 2003
Location: Rochester, MN, U.S.A
Distribution: Gentoo
Posts: 987

Rep: Reputation: 30
is this a security risk?


Is their a big security risk if my non-root, user account does not have a strong password?
 
Old 10-27-2003, 09:58 PM   #2
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Well, define "big"? If your non-root account has access to sudo then yes, it's a huge risk. Otherwise it's a fairly substantial risk, but I don't know how you quantify "big".

There are many exploits that can only be performed with what is called "local" access, i.e. an actual user account on the machine you're attacking. By using a weak password you're taking a much bigger risk that your account will be compromised, especially if you're running any sort of remote access protocols like telnet or ssh with password authentication enabled. Once someone has a "local" account, they can then exploit weaknesses that were not available previously when they were just attacking the Internet face of the box.

Based on the above, I would never allow a weak password on one of my boxes if I could help it. It's not that difficult to make sure every password has at least 2 numbers, 1 non-alpha-numeric character, and is at least 8 characters long. Mixing upper and lower cases on alpha characters is good too, but often users forget extremely complicated passwords.
 
Old 10-28-2003, 06:58 AM   #3
porous
Member
 
Registered: Oct 2003
Distribution: redhat 9
Posts: 147

Rep: Reputation: 15
Re: is this a security risk?

Quote:
Originally posted by shanenin
Is their a big security risk if my non-root, user account does not have a strong password?
i totally agree with chrot , i think he has given you a good advice ..
but let me tell you this , why do you want to take a risk when there is no need to take a risk..
 
Old 10-28-2003, 10:58 AM   #4
shanenin
Member
 
Registered: Aug 2003
Location: Rochester, MN, U.S.A
Distribution: Gentoo
Posts: 987

Original Poster
Rep: Reputation: 30
I changed it. It told me that more then 8 charectors could cause a problem, it said I could truncate(spelling?) it.
two questions

1. why would more then 8 charectors cause a problem
2. what is truncate
 
Old 10-28-2003, 12:36 PM   #5
Robert0380
Guru
 
Registered: Apr 2002
Location: Atlanta
Distribution: Gentoo
Posts: 1,280

Rep: Reputation: 47
truncate means chop off

if you truncate 12312.12 to be a whole number you get 12312 and you loose the .12 into obvlivion

this behavior is noticed in web browser access. If you get a pop up in a web browser asking for a user and password, usually only the 1st 8 characters of the pasword matter.

as to why your linux system doesnt like more than 8 characters, im not sure. i just created a 16-character password for my normal user and it requires all 16 of em to log in.
 
Old 11-02-2003, 11:34 AM   #6
Astro
Member
 
Registered: Jan 2003
Location: Ballston Lake, NY
Distribution: Slackware, Debian
Posts: 660

Rep: Reputation: 30
I really don't think some random person is gonna find your linux box and specifically try to crack your specific user password. I definatly know my mom or girlfriend doesn't try to crack my logins, so i know thats safe. But af for someone randomly finding your machine, realizing it's a linux box and knowing what to do from there I think the possibility is very rare, however, chort is right in what he's saying.
 
Old 11-02-2003, 01:59 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,369
Blog Entries: 54

Rep: Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870
I really don't think some random person is gonna find your linux box and specifically try to crack your specific user password.
A risk is a risk. "Thinking" you're secure (opinions vs facts) should not be used as an argument to condone weak security. Because you can't think of it doesn't mean others can't.


I definatly know my mom or girlfriend doesn't try to crack my logins, so i know thats safe.
Not trying to turn it into a FUD or paranoia thing, but do you actually know it, or is this another assumption?


But af for someone randomly finding your machine, realizing it's a linux box and knowing what to do from there I think the possibility is very rare
How rare is it, really? And can the fact you perceive it as rare really be used as an argument for lax security?


IMHO not.
 
Old 11-02-2003, 02:27 PM   #8
Astro
Member
 
Registered: Jan 2003
Location: Ballston Lake, NY
Distribution: Slackware, Debian
Posts: 660

Rep: Reputation: 30
I'd guess it's pretty rare for a lot of that stuff. Guessing by how many people are in my major (IT/ANSA) and the amount that have never heard of linux scares me just a bit. Sure it's a risk, as you said, a risk is a risk no matter how small....but don't blow it out of proportion.
 
Old 11-02-2003, 04:27 PM   #9
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Don't think that because the small circle of people you know in the US don't know Linux that the majority of malicious attackers out there don't know about it. After all, you're not worried about the average person you meet on the street, what you should be worried about is kids in Romania, China, Korea, etc who have nothing better to do (especially the first two).

In many cases there are foreign countries with excellent Computer Science programs, but very poor economies and few jobs (thinking specifically of Romania here). What happens when those kids graduate university and realize there are no jobs for them? Hmm. Countries like Romania, India, and China do teach Linux skills. In fact there's a Red Flag distribution of Linux that comes from China and the Chinese government is very keen on replacing Microsoft products in their country.

But forget all that for right now, let's go back to the basics. You are not worried because there aren't many people out there who know Linux, but how many does it take to be dangerous? Considering most people who are serious about computers now have broadband connections with a lot of bandwidth, and they often have multiple machines at their disposal (and a lot more if they have created any zombies) we have to assume that a single person can hold vast amounts of computing power and bandwidth. Now will these people be randomly trying to telnet to IPs by hand? No. Surely you must be familiar with nmap? As you know it makes scanning networks trivial.

Now suppose they're only looking for a few specific things to exploit. Let's assume that the attacker looking for a sendmail vulnerability, Sun RPC vuln, and OpenSSL vuln. Now we can further assume that the vast majority of the people using these services are going to do so on the default ports. In fact, the attacker happens to be very lucky because running any of these services on something other than the default port will cause a lot of problems. In fact, I don't think it's possible for RPC services to work at all if you don't run portmapper on 111. Sendmail can still accept mail, but remote MTAs only deliver to port 25, and HTTPS will run on other ports, but then the person has to type the port number in their browser instead of just https://. All the attacker has to do is run an nmap over night on several huge blocks of IPs looking for responses on ports 25/tcp, 111/tcp, 111/udp, and 443/tcp. More over he can write a script to parse the response banners and filter out any responses that don't look like they came from software he's looking for (i.e. only leave sendmail, sunrpc, and openssl).

Now when Mr. Cracker wakes up he has a neat and tidy list of only those few hosts out of hundreds of thousands that are running exactly the software he knows how to exploit. In fact, it may be even easier if he has tools that can run the exploits for him, he can have the tools run automatically against the list of target boxes and if they succeed, print him out a list of IPs that he now has the root password for. It could be as simple as waking up and just logging into your box like he owned it.

So let's examine the specific example of OpenSSH. Well a while back there was a vulnerabilty with OpenSSH and PAM authentication that would let an attacker enumerate a list of local users by using a dictionary username attack and measuring the length of time it took to generate the "password failed" message. With that method you could very quickly build a list of all the user accounts on the system (this is much easier than passwords, because usernames are nearly always dictionary words, or a combination of names and initials). Another method for building a user list would be to scan mail archives for headers indicating the message was generated from a particular distribution of Linux and/or sent through a particular MTA. The originating IP could be used to either scan that network (in case the host moved due to DHCP) or simply use that IP directly. In any case those are two methods an attacker could use to build a known good user list. After that he just has to try brute force password methods on the known user accounts. If you have a user with a weak password, hey presto: Local access!

One last word on password length. The traditional UNIX crypt() function would only DES hash up to 8 characters of the password. That meant that anything over 8 characters was just discarded prior to the hashing, so it wasn't compared at login. Less than 8 characters left few unique possibilities for the hash so it's recommended to use at least 8 to get the full benefit (more than 8 don't matter and sometimes it's easier to remember the full password even if part of it is irrelevant, much like telephone numbers that are spelled out in words are easy to remember, but if they're longer than 7 numbers the last part is actually discarded when you dial). I *think* (although I haven't confirmed) that newer methods like md5 and blowfish actually hash more than 8 characters, but I would need to check on that.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Security Risk computerdude Linux - Security 3 08-31-2005 02:25 PM
Gentoo security risk? mikieboy Linux - Security 1 03-08-2005 07:44 PM
Security Risk? N|k0N Linux - Security 7 10-02-2004 04:52 PM
X windows a security risk? aneikei Linux - Newbie 4 09-11-2003 01:06 AM
security risk? Notfromkansas Linux - Security 12 04-04-2002 10:30 AM


All times are GMT -5. The time now is 05:52 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration