[Freedombox-discuss] Block brute force login attacks?
Sandy Harris
sandyinchina at gmail.com
Sun Jun 15 15:18:30 UTC 2014
Petter Reinholdtsen <pere at hungry.com> wrote:
>
> Time to pick up this thread again, and set up some defence against the
> simple and stupid brute force attacks. ...
Yes.
> These are the known options:
... [his list is quite reasonable, but snipped out here] ...
> These options are not exclusive, and we can pick combinations that make
> sense. I believe it is best to handle this issue on the PAM level, and
> there we have two options. Because libpam-shield is orphaned and have
> so huge block period, I conclude that libpam-abl is our best option. We
> should also look at disabling password login from the Internet over ssh,
> and only allow it on the local network.
Sounds sensible, but I think there is another option. Back in 2011,
I started a thread with subject "crypto questions". The password
part of my post was:
" Passwords are a standard security mechanism and very often
" a weak link. You can avoid passwords altogether for many
" server activities by using the public key stuff in SSH. Great
" for some of us, but is it going to be usable by our target
" market? If not, what would that take?
" One thing to look at is ways to eliminate the default
" password at setup:
" http://www.turnkeylinux.org/blog/end-to-default-passwords
" Another is Bcrypt, a password system that aims
" to be more secure:
" An overview/advocacy article:
" http://codahale.com/how-to-safely-store-a-password/
" The original technical paper:
" http://www.usenix.org/events/usenix99/provos.html
" Bcrypt is the default for NetBSD. It is available in the
" Ubuntu repositories, so I presume also in Debian. I'd
" say it should be the default for the box, and we could
" ask the Debian folks to look at whether it might
" become the default for Debian.
There is also a competition going on to find better
password-handling methods:
https://password-hashing.net/
Both the organizing committee and some of the
tea
It is not expected to give final results until mid-2015,
but is worth keeping in mind.
More information about the Freedombox-discuss
mailing list