Re: hosting a secure website accessible from only a few IP addresses and users

• Previous message: Bjorn Randell: "Re: Man in the Middle SSL Attack"
• In reply to: 2pac: "Re: hosting a secure website accessible from only a few IP addresses and users"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 24 Jun 2003 07:12:20 GMT

In article <d04df644.0306231809.53bd087b@posting.google.com>,
2pac <cal_2pac@yahoo.com> wrote:
:Thanks for the suggestions
:a) family has got static IPs
:b) authenticated user logins (OR logins over SSL) may be useful - but
:am wondering how good against hacker brute force or dictionary
:attacks.
:If popular websites can get hacked - the moment I let someone know
:that there is a port open (and the identity of the web server
:software) - I may be susceptible to attack

You are going to be "susceptible to attack" as long as you
use your computer on the net (even if not as a server.)

If you do not use your computer on the net, your computer
is still susceptible to attacks if someone can convince you to
load software they sent you. And even if you never run anything
you didn't write yourself and you never connect to the net,
you are susceptible to "Van Eckk monitoring" or Tempest-
type attacks. And if you lock your computer in a shielded room,
there are attacks based upon monitoring your voltage draw,
or based upon introducing a spy device ("bug") inside the room.

Basically, as long as the computer exists, it is "susceptible
to attack".

Brute force attacks take *time*. How many connections per second will
your firewall allow? 1000 perhaps? If the average entropy of characters
in the passwords is (say) 5 bits [i.e., an assumption that people do
NOT select password characters very randomly], and if the minimum
password length is 6 characters [rather on the short side], then there
would be 2^(5*6) = 2^30 passwords, which is about 10^9. At 1000 per
second, it'd still take an average of 500,000 seconds to brute force,
which is about 5 3/4 days -continuous-, under these assumptions of weak
passwords. Is your setup going to be such that you aren't going
to -notice- a concerted breakin effort within 6 days?

-- 
   Come to think of it, there are already a million monkeys on a million
   typewriters, and Usenet is NOTHING like Shakespeare.  -- Blair Houghton.

• Previous message: Bjorn Randell: "Re: Man in the Middle SSL Attack"
• In reply to: 2pac: "Re: hosting a secure website accessible from only a few IP addresses and users"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: VmWare and Pen-test Learning ... Setup a tftp server on your client machine. ... Use John the Ripper to crack the passwords. ... (dictionary attacks, brute force, single mode). ... Download FREE whitepaper on how a managed service can help ... (Pen-Test) RE: Whitespace in passwords - now alt+xxx ... Subject: Whitespace in passwords ... 60 possible characters and the password is 7 characters long. ... >> Check your website for vulnerabilities to SQL injection, ... >> scripting and other web attacks before hackers do! ... (Pen-Test) So do we include this ???: Whitespace in passwords ... Subject: Whitespace in passwords ... 60 possible characters and the password is 7 characters long. ... >> Check your website for vulnerabilities to SQL injection, ... >> scripting and other web attacks before hackers do! ... (Pen-Test) RE: policy-based password cracker ... that required at least one upper, one lower and one number in all passwords. ... password checks can be eliminated due to the policy. ... Since the vast majority of the time for a brute-force attack is ... most brute-force attacks are very fast. ... (Pen-Test) RE: Rainbow Tables ... Subject: Rainbow Tables ... Fortunatly for this project we are only doing LM passwords, ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on shopping carts, ... (Pen-Test)