Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
root@metasploitable:/etc/ssh# service sshd restart
service sshd restart
The program 'service' can be found in the following packages:
* debian-helper-scripts
* sysvconfig
Try: apt-get install <selected package>
bash: service: command not found
Hi, and welcome here, at LQ
first of all cracking is not allowed on LQ, so we can't really help you to do that.
Your post contains no usable information about your system and environment, dropping in an error message is not really sufficient to help you. So please read the rules and also this page: https://www.catb.org/esr/faqs/smart-...html#beprecise
service is the old command. Most systems use systemctl, and the verb is first like "systemctl start sshd". Do a "systemctl status sshd" to see the service's status.
but note SSHD used to install on debian with "signing that appeared to make random keys for security" which infact did NOT protect the debian machine from remote login.
it is up to you to test it / make sure your version of (debian) is actually not a root kit
It takes a little work to do this, but you should configure sshd so that digital certificates are required and so that it will not "fall back to 'simple passwords.'"
Although ssh's handling of certificates is still very weak, especially since you can "slip in" a new accepted key without being noticed, it does effectively stop the "brute force attacks" which will otherwise consume a tremendous amount of system resources. Either you have an acceptable key or you don't.
Certificate-based openVPN is far stronger, particularly because an end-user cannot directly specify the set of keys which are allowed. (The keys are not "per-user.") Here you can set things up so that you must first "cross the openVPN moat" before you even get a chance to reach the "ssh portcullis." You can set things up so that the presence of openVPN is hidden: there are no "open ports" to "scan." I wrote an article about this on my own website entitled "Number of Unauthorized Access Attempts: Zero." A key benefit of openVPN is that it runs at the level of the network stack. "It's just there."
Last edited by sundialsvcs; 01-04-2023 at 08:05 PM.
but note SSHD used to install on debian with "signing that appeared to make random keys for security" which infact did NOT protect the debian machine from remote login.
it is up to you to test it / make sure your version of (debian) is actually not a root kit
Just wanted to add that "password cracking" is an entirely legitimate activity, if performed as part of a security audit. In fact, it would be a dereliction of duty for a sysadmin not to do this regularly in order to expose users (deliberately or accidentally) circumventing policy.
Just wanted to add that "password cracking" is an entirely legitimate activity, if performed as part of a security audit. In fact, it would be a dereliction of duty for a sysadmin not to do this regularly in order to expose users (deliberately or accidentally) circumventing policy.
I don't think so. I think the quality of passwords is checked when they are typed. So you can't use something that doesn't fit into the rules. Hacking passwords (and knowing other people's passwords) in my opinion (at my company) is not allowed for anyone for any reason.
If you change the rules you can force the people to change their passwords.
I don't think so. I think the quality of passwords is checked when they are typed.
The word lists are constantly updated, and the methodologies of password guessing change over time as well.
Besides, it's not practically possible to implement a realtime password validator that goes through thousands of permutations of every phrase in a reasonably-sized list.
In BLFS you can build and install a program called CrackLib which monitors entered passwords for quality and rejects those that are easily cracked. But if you install it, you have to rebuild shadow to take advantage of it.
But, there are a few "reality checks" that you can apply when someone wants to focus too-much on "password cracking" ...
• Can an outsider actually situate himself into the position where he could actually exploit a "vulnerable" password?
• And, if he did, would he thereby gain sufficient access to be "significant?"
• And, if he did, is it reasonable that he would actually know "what to do next," unless our "intruder" was actually an insider?
• Would our supposedly-ignorant "intruder" actually be able to try "the right" password before tripping other conventional defenses such as "failed password count locks?"
"Portals" that might be accessible to authorized employees, who might actually be in the position to use such passwords, should be stoutly protected by properly-implemented VPNs, not(!) SSH! To enter the front hall of the building, you must first have a unique badge. Once inside that front hall, you will be given the opportunity to present a password. Two layers of defense.
IMHO, "SSH" should never be your first, public-facing, line of defense! Because this will directly(!) present any potential intruder with the following irresistible target:
login:
Instead, let "SSH" be your portcullis, while VPN is your moat. (Ideally, if using "OpenVPN" and tls-auth, with a hidden(!) drawbridge.)
Last edited by sundialsvcs; 02-22-2023 at 12:41 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.