Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
06-11-2006, 12:33 PM
|
#1
|
Member
Registered: Nov 2005
Posts: 144
Rep:
|
How long should the root password be?
I'm wondering how long the root password should be?
I'm running a desktop computer which is connected to the internet almost all the time. Which password length would you recommend? What would you recommend for a high-value server?
Currently, I'm using an random alphanumeric password (a-z, 0-9) with 8 characters, which yields a password strength of about 40 bits. Do you think that is enough?
Regards,
Lotharster
|
|
|
06-11-2006, 12:58 PM
|
#2
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
8 character alphanumeric is really the bare minimum IMHO. Including some type of punctuation or special character significantly helps to increase the complexity of a bruteforce as well. It's also very important to have your passwords be reasonably random and not be simple variations of dictionary words, things like 'password1' or 'abcd1234' would be exceptionally poor.
If you are going to allow any kind of remote access (like ssh) I'd also highly recommend that you configure the authentication on the system so that you cannot directly login as root, but instead are required to login as a normal user and su to root.
|
|
|
06-11-2006, 01:36 PM
|
#3
|
Senior Member
Registered: Nov 2004
Distribution: Mint, MX, antiX, SystemRescue
Posts: 2,337
|
The passwords I use now for all accounts (not just root) are typically 10-12 characters long. I could not even write down my passwords for you. I create them more with "motions" and "rhythms" on the keyboard. More like playing the piano than typing words. I do have a phrase in my head that helps me remember how to get started typing, but that phrase does not directly come out in the password. I rhythmatically hit the SHIFT key during typing to get an upper/lowercase mix, and I rhythmatically "reach higher" on the keyboard (by this I mean my memorized phrase might make me think of a "t", but I reach higher and get a "6" or "^" on the upper key row instead). You can get some really good random passwords this way.
But I did run into a downside once. I cut my finger and had a bandaid on it. This screwed up my "finger memory" and made it a little tough to get the password entered!
|
|
|
06-11-2006, 02:02 PM
|
#4
|
Member
Registered: Nov 2005
Posts: 144
Original Poster
Rep:
|
Thanks for your replies, no I have one more question:
What kinds of attacks against my root-password should I guard against?
I've disabled ssh-root login as well as password authentication, so how could a "bad guy" try to hack into my root-account?
Regards,
Lothar
|
|
|
06-11-2006, 02:04 PM
|
#5
|
Senior Member
Registered: Nov 2004
Distribution: Mint, MX, antiX, SystemRescue
Posts: 2,337
|
A few more things to consider for a desktop, assuming it is only you or a very limited set of people needing access:
---
Open up one and only one port on your system ... port 22 ... ssh. Firewall out everything else, and configure required services to listen only on the localhost adapter if possible. If you want to access any of these other services you will need to use an ssh tunnel.
Research what they do, and consider using the following options in sshd_config (NOTE: I only allow pubkey authentication, so NO password guessing!)
Code:
ListenAddress 0.0.0.0
IgnoreRhosts yes
PermitRootLogin no
AllowUsers <userid1> <userid2>
Protocol 2
LogLevel VERBOSE
UsePrivilegeSeparation yes
PubkeyAuthentication yes
RSAAuthentication no
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
PasswordAuthentication no
KerberosAuthentication no
UseLogin no
UsePAM no
Consider using an "adaptive firewall". I believe this term was originally coined by Bob Toxen in his book on Linux security, but I may be wrong in crediting him the origins. Basically you spawn a script from hosts.allow that can quickly create tcpwrapper rules or iptables rules to lock out crackers. Bob's implementation of this is named "Cracker Trap". I wrote my own, to meet my personal needs, after recently attending a class taught by Bob.
|
|
|
06-11-2006, 02:39 PM
|
#6
|
Senior Member
Registered: Nov 2004
Distribution: Mint, MX, antiX, SystemRescue
Posts: 2,337
|
Quote:
Originally Posted by Lotharster
What kinds of attacks against my root-password should I guard against?
|
Attacks attempt to gain a root shell your system. Guessing a root password is one way, but there are other ways to gain access without needing to know the password.
Quote:
I've disabled ssh-root login as well as password authentication, so how could a "bad guy" try to hack into my root-account?
|
Unfortunately, there are many more ways to crack into a system than I could tell you (I know of a few, but certainly not all). What you've done so far is a great initial step. Make sure you also turn off all unneeded services! Put strong passwords on every account. For accounts that never need direct shell access, turn it off in /etc/password. Here's an example of how this is done for sshd on my system (the shell is specified as "/bin/false"):
Code:
sshd:x:101:65534::/var/run/sshd:/bin/false
After you've done the above, you're in better shape than many people. Now start reading some books and go after closing the more subtle holes.
A good book, that will probably scare the pants off you, is "Hacking Exposed" (5th edition - I think is the current one). There are other books in the "Hacking ... Exposed" series but I have not read them yet. Another good book is the one I mentioned earlier by Bob Toxen - "Real World Linux Security" (2nd edition).
|
|
|
06-11-2006, 11:08 PM
|
#7
|
Member
Registered: Apr 2005
Posts: 131
Rep:
|
Wow, you guys are all into some major overkill. I just use the password "password" on all my accounts. That really helps me to never forget my password.
|
|
|
06-12-2006, 03:29 AM
|
#8
|
Member
Registered: Feb 2002
Location: India
Distribution: Slacky 12.1, XP
Posts: 992
Rep:
|
more than the length , its the complexity of the password which matters a lot , "22usc336" is better than "abracadabra"
|
|
|
06-14-2006, 09:48 AM
|
#9
|
Member
Registered: Oct 2005
Location: Denmark
Distribution: Gentoo & XP pro for gaming
Posts: 152
Rep:
|
Quote:
Originally Posted by jayakrishnan
more than the length , its the complexity of the password which matters a lot , "22usc336" is better than "abracadabra"
|
dont forget Special Characters: /()&¤"!@{[]?`´''*"';:
always have the 3 types:
text (lower AND higher case)
numbers
special characters
|
|
|
All times are GMT -5. The time now is 05:10 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|