Fun With Chinese Hackers and Password Strength
Shortcut URL: http://t.conquent.com/bN00
Iíve been working on a personal API project so Iíve been spending a bit more time than usual sitting in front of the computer looking at lines of text. Because Iím building it from the ground up, Iíve been doing a lot of old-school sysadmin work and logging into my server.
Only yesterday I found I couldnít log into my server. I kept getting an error saying that my key was rejected or that the connection was outright refused. This gives me the same feeling I get when I check my bank balance and itís missing a chunk of money or maybe when Iím in a foreign country and I canít find my passport. Itís not life or death, but it stirs those same tendrils of fear.
So I did my danceÖ I logged in using Rackspaceís console (which is like walking up to the machine and using the keyboard and mouse). First thing I did was check network connections and there were a TON from 22.214.171.124. Popping open the website Infosniper.net I found out it was coming from Jinan, China.
What they were doing was what we call a brute force attack. They were attempting to log in as the root user. You get five tries to type your password and then the server kicks you back out, and then you try again. A simple computer program can rotate through passwords all day long trying some obvious passwords first (ďpasswordĒ, ďpassword10Ē, ďpa55w0rdĒ) and moving on to a simple ďrun through the common wordsĒ algorithm (cities of the world, sports teams, etc in various combinations).
The thing is, this attack actually works more often than you would think. I personally follow the xkcd comicís advice and use a series of random words -- you get a longer string and if you use really random phrases theyíre really hard to break.
For example, I went to the OWASP passfault site where they analyze the strength of your password -- no, I didnít enter my actual password, but I tested variations on it and discovered that it would take 138 centuries to crack it with current methods. So, I then grabbed a random phrase from a magazine (StimpsonSetTheGranitePavers) and got 33,199 centuries (the uncommon name Stimpson probably helped).
But the reason this is ďbrute forceĒ is because there are so many combinations they have to pound on the server like Chinese Visigoths at the gates to the city. And, honestly, you can never have a completely secure computer.
So, when I logged into my server using the Rackspace backdoor, the first thing I did was to type ďwĒ on the command line to see who was logged in -- just little old me, so if they were in they werenít in my server the way they were trying to get in.
Then I shut down SSH (the Secure Shell server) so that they would go away. I also locked down root access so they can try to log in as root all they want and just get sent away so theyíre less likely to lock up my SSH server again.
Then I checked the log files to see if they actually DID get in only weren't in the house when I logged in. Of course they donít just try ďrootĒ as a username, but a quick scan shows what they try to log in with. And theyíre still hitting it today:
I found ďbossĒ amusing. Most of the other ones make sense (except I donít have the kind of money lying around to have Oracle running on my personal web server), and that PlcmSpIp was interesting because it implies there was some open source program out there leaving a security hole.
Overall itís just annoying. Yes, Iíve had servers hacked and had to completely shut them down, yes Iíve had my PC infected and turned into a botnet zombie and had to reinstall everything. But for the most part I see them try, block them, and then contemplate why they bother.
Itís kind of like house thieves going door to door with a big ring of keys and trying each key. They donít bother to look at the house to see if itís a shack or a mansion, they just try the keys. And if the door opens, they probably donít even do much, just cut a hole in the basement wall so they can come back later without needing the key.
And every now and then I hear them jiggling the key in the lock, and I shoo them off my front doorstep. Then I have to change the locks, maybe add another one, and I start thinking about putting bars on the windows...
Just another day living in the world with other people...
Share this article:
Be sure to see my blog over at Cloudenity. This week's topic:
Identity Isn't Just for Users Anymore