[Beowulf] Re: "hobbyists"

Perry E. Metzger perry at piermont.com
Thu Jun 19 21:15:39 PDT 2008

"Robert G. Brown" <rgb at phy.duke.edu> writes:
> On Fri, 20 Jun 2008, Chris Samuel wrote:
>> ----- "Joe Landman" <landman at scalableinformatics.com> wrote:
>>> People spend lots of time and effort on security theater.  Make up odd
>>> rules for passwords.  Make them hard to guess and crack.  Well, is
>>> that the vector for break-ins?  Weak passwords?
>> Yeah - sadly.. :-(
> Do you have an recent contemporary evidence for that?

Yes, Run a box with sshd on it connected to the internet and watch your
logs for a few days. You will find numerous attempts to try thousands
of possible account names and passwords -- brute force cracking.

Here is an extract from the log on a real machine, one of mine, from
last night:

Jun 19 20:56:53 smaug sshd[2577]: Invalid user secretariat from
Jun 19 20:56:54 smaug sshd[2522]: Invalid user secretar from
Jun 19 20:56:55 smaug sshd[23949]: Invalid user present from
Jun 19 20:56:56 smaug sshd[3440]: Invalid user test from
Jun 19 20:56:57 smaug sshd[8809]: Invalid user test from
Jun 19 20:56:58 smaug sshd[21600]: Invalid user teste from
Jun 19 20:56:59 smaug sshd[314]: Invalid user teste from

It goes on and on and on. There are countermeasures you can run to
block the zombies trying to guess passwords, but I rarely bother since
none of my machines allow password based login so their attempts are
useless anyway.

These attacks are done by automated malware that spreads itself around
from machine to machine for nefarious purposes -- good luck trying to
track down the puppet masters. I've tracked the bad guys down a few
times but they're always somewhere like Bucharest anyway, and the
locals don't care to arrest them.

It is true that this is only one of many modern attack vectors and
that buffer overflows, drive by malware downloads into browsers, etc.,
are all far more common ways in, but you will indeed get hacked by
automated systems if you leave an sshd on and have accounts with weak

> There are also still -- relatively rarely -- buffer overwrite attacks
> discovered.

Rarely? You haven't been reading full-disclosure lately I see. There
are a half dozen new such vulns found a day.

> Most coders "get it"

No, most of them don't. I've done a lot of code audit in my day. The
average C programmer turned out these days really thinks you use
system("rm filename") to unlink a file, and that's the good part of
their code. For a laugh, google for the "daily wtf" and start reading
some of the stuff you see.

> But weak passwords that are brute force guessed[...]?
> Only on a poorly managed network,

That would be 95% of networks. I've done a lot of network audits in my
day, too.

Perry E. Metzger		perry at piermont.com

More information about the Beowulf mailing list