Anaconda 22.17+ enforces "good" passwords

Stephen John Smoogen smooge at gmail.com
Tue Feb 24 16:00:16 UTC 2015 

On 24 February 2015 at 08:53, Chris Murphy <lists at colorremedies.com> wrote:

> On Tue, Feb 24, 2015 at 8:45 AM, Stephen John Smoogen <smooge at gmail.com>
> wrote:
> >
> >
> > On 24 February 2015 at 05:46, Hubert Kario <hkario at redhat.com> wrote:
> >>
> >> On Tuesday 24 February 2015 13:08:46 Tomas Mraz wrote:
> >> > On Út, 2015-02-24 at 12:32 +0100, Hubert Kario wrote:
> >>
> >> > > rate limiting and denyhosts have no impact what so ever when the
> >> > > attacker
> >> > > has a botnet to his disposal
> >> >
> >> > Large botnet means that the attack is targeted. I do not think we can
> >> > prevent targeted attack against weak password in the default
> >> > configuration. What we should aim at is prevention of non-targeted
> >> > attacks such as attacks you can see when you open ssh port on a public
> >> > IP almost immediately. These attacks usually come from single IP
> >> > address.
> >>
> >> Not necessarily, I've seen both - where an IP did try just 2 or 3
> >> password/user combinations and ones that did try dozens.
> >>
> >> Having access to botnet is not uncommon or expensive, making it possible
> >> for
> >> "bored student" kind of targeted attacks. You can do low level of such
> an
> >> attack with just EC2.
> >>
> >> I'm not saying that we shouldn't have rate limiting, but it shouldn't be
> >> the
> >> only thing above simple dictionary check.
> >>
> >
> > That matches what I am seeing with a couple of random servers I have out
> > there. The number of attacks where IP address one is doing
> >
> > apple:apple
> > apple:123456
> > apple:trustn01
> > apple:...
> > bob:bob
> > bob:123456
> > bob:trustn01
> > bob:password
>
> Half of these will be allowed with the current installer behavior:
> # pwscore
> apple:123456
> 55
> # pwscore
> apple:trustn01
> 84
> # pwscore
> bob:trustn01
> 55
> # pwscore
> bob:password
> 58
>
>
Uhm that was meant to be account name : password so you should only test
what is after the :


-- 
Stephen J Smoogen.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/security/attachments/20150224/a6a849e6/attachment.html>

More information about the security mailing list