Page 2 of 2 FirstFirst 12
Results 11 to 18 of 18

Thread: host name and security

  1. #11
    Join Date
    Sep 2007
    Location
    EU
    Beans
    224
    Distro
    Ubuntu Development Release

    Re: host name and security

    Quote Originally Posted by pytheas22 View Post
    I've also noticed that a lot of the headers for mail I send contain my host name, so anyone I email (or who sniffs and reads my mail while it's in transit) knows it if he wants it. This is not a big deal, as the chances of someone looking at a mail header and exploiting the information in this way are very, very low, but my understanding of computer security is that no matter how safe you think you are, you should still try to do better.

    Anyway, I just wanted to know if this was a legitimate concern (even if there are a lot of more pressing things to worry about). Thanks all for the information.
    I also ask myself the same question some time ago. That's why I have changed that automatic naming. On the other hand I have few misunderstandings with chkrootkit and rkhunter warnings. Hardy, from witch I write in this moment have only firestarter, chkrootkit and rkhunter installed apart from the box realize packages and it still warn me about hidden "something" in /dev/ and chkrootkit warning is even worst, it warns me about possible troyan. Scary, isn't it?

  2. #12
    Join Date
    Apr 2008
    Location
    UK
    Beans
    1,098

    Re: host name and security

    Quote Originally Posted by pytheas22 View Post
    Anyway, I just wanted to know if this was a legitimate concern (even if there are a lot of more pressing things to worry about). Thanks all for the information.
    Access to your sshd is protected by the very strong password you have chosen or the ssh keys you have set up. Knowing a username on the machine is completely irrelevant and does not affect the security you have in place.

    Think in terms of at least thousands of years to brute force a ssh key. ssh probes are short lived, directed against weak security, have no intelligence behind them and stand no serious chance of succeeding.
    Brian.

  3. #13
    Join Date
    Feb 2008
    Beans
    606
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: host name and security

    Quote Originally Posted by Monicker View Post
    Javascript was also found, in theory at least, to be able to connect to the web interface of the typical home router.
    Who needs Javascript? Some home routers can be reprogrammed by an <IMG> tag (see the recent DNS reprogramming attack in Mexico).

    While I agree that SSH should rely on strong passwords or keys, I still lean towards giving an attacker as little information as possible; if they don't know your username then it's much harder to try to break in, which is why login programs no longer tell you that you entered an invalid user ID.

  4. #14
    Join Date
    Dec 2006
    Location
    Chicago
    Beans
    3,839
    Quote Originally Posted by movieman View Post
    Who needs Javascript? Some home routers can be reprogrammed by an <IMG> tag (see the recent DNS reprogramming attack in Mexico).

    While I agree that SSH should rely on strong passwords or keys, I still lean towards giving an attacker as little information as possible; if they don't know your username then it's much harder to try to break in, which is why login programs no longer tell you that you entered an invalid user ID.
    I agree, but how is using your user name as part of your computer name giving up information? As far as I can tell, there is no way to retrieve the computer name remotely unless they are running a server which broadcasts it like samba, or an application such as flash is compromised, in which case they could probably just as easily get a list of users as they can your computer name.

    I have read about javascript and java applets that can determine your local ip and local hostname when you view a web page.
    Are you sure you're not talking about this hostname?

  5. #15
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Beans
    1,393
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Re: host name and security

    Quote Originally Posted by cdenley View Post
    Are you sure you're not talking about this hostname?
    Nope. The methods were for retrieving the local hostname.

  6. #16
    Join Date
    Dec 2006
    Location
    Chicago
    Beans
    3,839

    Re: host name and security

    Quote Originally Posted by Monicker View Post
    Nope. The methods were for retrieving the local hostname.
    Any reference? Was this a feature or a bug? If it was a bug, was it fixed? If it was a feature, did it retrieve linux hostnames?

  7. #17
    Join Date
    Feb 2008
    Beans
    606
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: host name and security

    Quote Originally Posted by cdenley View Post
    I agree, but how is using your user name as part of your computer name giving up information?
    For one example, if they can get onto your local network and see a bunch of other machine names, that allows them to attack those machines more easily. Now, it may well be that all those machines have the same users listed in their password file anyway so there's no benefit.

    I don't know whether it's still the case, but a lot of network services used to have the host name in the banner, which would allow remote access to the name.

  8. #18
    Join Date
    Apr 2008
    Location
    UK
    Beans
    1,098

    Re: host name and security

    Quote Originally Posted by movieman View Post
    While I agree that SSH should rely on strong passwords or keys, I still lean towards giving an attacker as little information as possible; if they don't know your username then it's much harder to try to break in, which is why login programs no longer tell you that you entered an invalid user ID.
    We're talking about focussed ssh break in attempts here, right? So not your usual automated dross which hasn't any knowledge of the system it is probing.

    User ID known and a 2048 bit key to brute force. What is our expectation that this will be done within 1,000,000 years? How about zero? So, a 100% secure account.

    User ID unknown so the attacker guesses 100, none of which exist on that machine. Expectation of success? Zero. So again we have a 100% secure account. But not knowing the username hasn't increased security. I'm prepared to give out a list of user IDs used here and reckon it will not detract from the security of ssh communication.
    Brian.

Page 2 of 2 FirstFirst 12

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •