question on root password

Discussion in 'all things UNIX' started by moontan, Jul 23, 2012.

Thread Status:
Not open for further replies.
  1. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    i keep my root/sudo password really short and simple since i'm the only user.

    is having a long password against online attacks necessary?

    could someone 'knock at the door' of my connection, so to speak, and try passwords one after the other until he/she finds the right one?
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    They would need to actually be in a program on the system either having exploited one or otherwise.

    I use a pretty simple password - 12 characters. That should be fine.
     
  3. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    tnx Hungry! :D

    i'll add a few more characters.lol
     
  4. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi moontan
    I find adding a period or [full stop], makes it really strong in any password test.

    I.E. :- my.nam.e.is.not.you.rs.

    my..nam..e.is..not..you..rs..

    my..nam...e.is.not...you.rs...

    FYI :- A full stop ( . ) (British, New Zealand and Australian English) or period (American English and Canadian English). :)

    Take Care
    TheQuest :cool:
     
  5. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    OR running an ssh server, assuming no firewall ports open to the internet !
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Password padding is a great way to increase password strength.

    True but then it's not the root password, you'd have a separate password.
     
  7. BrandiCandi

    BrandiCandi Guest

    To expand on what Nick said...
    Are you behind a NAT? If
    Code:
    ifconfig
    tells you your ip is 192.168.x.x or 10.x.x.x, then you're behind a NAT. If you haven't forwarded any ports on the router, then you don't have any services directly facing the internet. When an attacker "knocks on your door" what he's doing is looking for internet-facing ports. If you don't have any then the attacker has nothing to brute-force.

    If you're running a server of any kind (ssh, samba, whatever), and you have the port forwarded from your router, then a brute-force attack like the one you're describing probably happens routinely. But it will brute-force the password of the server account (like HungryMan said), it won't be brute-forcing your sudo password.
     
  8. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    tnx Brandi, i just tried ifconfig and no, i'm not using a NAT (don't even know what that is).

    i don't have a router as a i have only 1 machine.

    so i think i'm ok. ;)
     
  9. BrandiCandi

    BrandiCandi Guest

    Your question is answered: you're probably OK with your sudo password because the sudo password isn't what gets brute-forced. But stronger is better in general for all passwords.

    What I was saying is that the router gives you a layer of protection from remote attacks. If you don't have that then attackers still won't be brute-forcing your sudo password, but they might be brute-forcing your services.

    What kind of firewall do you have? What are its settings? If you don't have a firewall, or you just have the default settings then I recommend you look into a firewall with strong inbound rules.

    Are you running any servers? (ftp, ssh, samba, remote desktop/vnc, cups...) If you don't know the answer you can run
    Code:
    sudo watch netstat -anpe
    and you'll see a list of services listening or established. The last column is "Program name" - it will tell you what you're running. It will look like this:
    netstat.png

    So this screenshot shows I'm running "cupsd" which is a print server, "smbd" and "nmbd" which are related to a samba server, and "avahi-daemon" which kind of replaces the DHCP server in Ubuntu. None of these services are listening on external ports- they only communicate with other machines in my house. Therefore these services can't be directly attacked from the outside. But if you have them running without a router then they are accessible from the internet.

    Anyway, the point is if you have some services running, it's important that you secure them so that a remote attacker can't brute-force the password for those services.
     
  10. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    many tnx to every1 for their inputs! :)

    Brandi, i use the GUFW front-end for the kernel firewall.
    Incoming = Deny, Outgoing = Allow.

    i don't use a server, i even uninstalled Samba from my machine.

    i don't want to get too deep in configuring Linux for security.
    i'm not a Level 9 wizard like some of you folks and don't want to become one either. ;)

    i got away from Windows to leave much of this stuff behind me, i hope. lol

    tnx again folks, much appreciated. :)
     
    Last edited: Jul 30, 2012
  11. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677
    scan your system from ports online here

    www.grc.com/




    want to check internal open ports/services ...etc scan with zenmap (gui of nmap)

    they have some pre define basic scans check them you get all idea about your PC
     
  12. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    tnx mack.

    i already tested my firewall with Gibson's website.
    the only thing i fail is Ping Request.

    which is similar to the Windows Vista firewall, from what i have read around the 'net.

    i'll look into nmap.
    ----
    edit:
    just tried zenmap.

    way too technical for me.
     
    Last edited: Jul 30, 2012
Loading...
Thread Status:
Not open for further replies.