Brute Hacking

 
Post new topic   Reply to topic    Aprelium Forum Index -> Networking Issues
View previous topic :: View next topic  
Author Message
CapFusion
-


Joined: 18 May 2003
Posts: 617
Location: Lost in Abyss' Dungeon

PostPosted: Sat May 24, 2003 1:01 am    Post subject: Brute Hacking Reply with quote

Aprelium,

Do you have a patch or something in at-work to prevent "Brute Force" Hacking? 8O Or some temperary measure for this? I think it take about 30 or so minute for to hack in with "Brute Force" method by my old XT system with just a simple Username / Password [5 characters]. 8O To me, this is scary.
_________________
CapFusion,...
Back to top View user's profile Send private message
aprelium
-


Joined: 22 Mar 2002
Posts: 6800

PostPosted: Sat May 24, 2003 1:42 am    Post subject: Re: Brute Hacking Reply with quote

CapFusion wrote:
Aprelium,

Do you have a patch or something in at-work to prevent "Brute Force" Hacking? 8O Or some temperary measure for this? I think it take about 30 or so minute for to hack in with "Brute Force" method by my old XT system with just a simple Username / Password [5 characters]. 8O To me, this is scary.

Setting a "hard" password is your responsibility. We cannot do that for the user. There are a lot of guidelines to set a strong passwrod available on the web. As a general rule, mix digits, symbols, and letters and avoid using dictionnary words.
_________________
Support Team
Aprelium - http://www.aprelium.com
Back to top View user's profile Send private message Send e-mail
CapFusion
-


Joined: 18 May 2003
Posts: 617
Location: Lost in Abyss' Dungeon

PostPosted: Sun May 25, 2003 4:33 am    Post subject: Reply with quote

Quote:
Setting a "hard" password is your responsibility. We cannot do that for the user. There are a lot of guidelines to set a strong passwrod available on the web. As a general rule, mix digits, symbols, and letters and avoid using dictionnary words.

Setting "Hard" password is the user responsibility but setting "HARD" password STILL will not be ENOUGH. I can set over 20 character with number with character will STILL break in. Setting or implementing better security is not part of the user responsibility. Setting up proper security should be The HIGHEST issue. I believed everyone at mininum will agree. It should not plainly under look or under estimate this tissue.

Minor comment:
I would not like to see your product to become critized like Microsoft. Your product seem to be comment on positive note. Abyss as a "Web Server" is consider as communication / networking product, without strong security implemenation, user security will be as greater risk.... espeically for those that lack of security knowledge. Would it be the same like a porache with a yugo engine? Surely it can go point A to point B like any other car but atleast would like to be able to climb a very small hill. Abyss would be like any other free weak security web werver.

Take Microsoft Internet Explorer for an example, it is free like Abyss but have ton of security issue. Do you want to see Abyss in the same field like Internet Explorer or IIS for that matter? Once user have less faith in your product, Abyss would have tougher time rebuilding it impeccable image.

Please reconsider your answer. LIke I state earlier in this message. I can have enter 20 AlphaNumeric but my old XT will not stop trying to break-in by "Brute Force".

Please atleast consider "Three Attempt" and "IP Ban" at certain preset time.
_________________
CapFusion,...
Back to top View user's profile Send private message
aprelium
-


Joined: 22 Mar 2002
Posts: 6800

PostPosted: Sun May 25, 2003 7:31 pm    Post subject: Reply with quote

CapFusion,
We thank you for your comments. Security issues have already been discussed in other topics and we are working on new features to improve it. We cannot say more on that forum but we invite you to test the future versions when they'll be released.
By the way, Apache, IIS and other web servers have the same password protection mechanism which is described in the HTTP protocol. They do not provide more security than we ofger. So do not feel that Abyss is doing wrong just because it's not as famous as IIS or Apache.
_________________
Support Team
Aprelium - http://www.aprelium.com
Back to top View user's profile Send private message Send e-mail
Frank
-


Joined: 27 Oct 2002
Posts: 15
Location: The Netherlands

PostPosted: Fri Jun 20, 2003 2:07 pm    Post subject: Password security Reply with quote

:( I have to dissagree with you, wher eit concersn password security compared to apache: Although i'd prefer Abyss as my main server for password protection, Apache has an option for password = digest, or so, which means that only log-in names and passwords are encrypted with MD5 I believe. This would be nice for Abyss too, don't you think ?

Frank
_________________
He who thinks to know little, knows much already.
Back to top View user's profile Send private message
Gatewayy
-


Joined: 15 Mar 2003
Posts: 109

PostPosted: Fri Jun 20, 2003 5:10 pm    Post subject: Re: Brute Hacking Reply with quote

aprelium wrote:
CapFusion wrote:
Aprelium,

Do you have a patch or something in at-work to prevent "Brute Force" Hacking? 8O Or some temperary measure for this? I think it take about 30 or so minute for to hack in with "Brute Force" method by my old XT system with just a simple Username / Password [5 characters]. 8O To me, this is scary.

Setting a "hard" password is your responsibility. We cannot do that for the user. There are a lot of guidelines to set a strong passwrod available on the web. As a general rule, mix digits, symbols, and letters and avoid using dictionnary words.


I'm sorry but I have to totally agree with Aprellium here. The most secure software in the world still wont protect you if you use an insecure password. On another note there is no way to absolutley protect yourself from being hacked. If you one wants to and has enough time they will always get in no matter what you do.
_________________
-=Gatewayy=-

My Abyss site!

http://crashhappy.gatewayy.net
Back to top View user's profile Send private message Send e-mail
CapFusion
-


Joined: 18 May 2003
Posts: 617
Location: Lost in Abyss' Dungeon

PostPosted: Fri Jun 20, 2003 6:16 pm    Post subject: Reply with quote

Quote:
I'm sorry but I have to totally agree with Aprellium here. The most secure software in the world still wont protect you if you use an insecure password. On another note there is no way to absolutley protect yourself from being hacked. If you one wants to and has enough time they will always get in no matter what you do.

Abyss security consider as an entire level protection. You will need to implement some third party device for protection. You can not rely on Abyss Username / PW for prevention.

I can not imagine using Abyss as an enterprise webserer but ok for personal use ONLY. I am not sure what else will be use for.... maybe SOHO?
_________________
CapFusion,...
Back to top View user's profile Send private message
aprelium
-


Joined: 22 Mar 2002
Posts: 6800

PostPosted: Mon Jun 23, 2003 10:42 pm    Post subject: Reply with quote

It's easy to believe people saying that a method is "secure". Digest authentication are more secure than Basic authentication when it comes to man in middle attacks (someone that sniffs packets between the server and the client and tries to replay the sequence later).
But digest authetication is as weak as basic when you do a brute force attack.
_________________
Support Team
Aprelium - http://www.aprelium.com
Back to top View user's profile Send private message Send e-mail
CapFusion
-


Joined: 18 May 2003
Posts: 617
Location: Lost in Abyss' Dungeon

PostPosted: Tue Jun 24, 2003 6:12 pm    Post subject: Reply with quote

aprelium wrote:
It's easy to believe people saying that a method is "secure". Digest authentication are more secure than Basic authentication when it comes to man in middle attacks (someone that sniffs packets between the server and the client and tries to replay the sequence later).
But digest authetication is as weak as basic when you do a brute force attack.

Humm, I see both as basically the same thing. Reason for that is simple. When server keep on accepting input until the correct information, this can lead to breakin. The server does not know when to stop or reject connection or even time-out. That is the main reason this kind of security is so bad, especially non-experience hacker or wanabe. The server is very vulnerable to attack by anyone.

The need for add to security for like - Time-out / Preset try / Preset IP ban time-out ... etc.... With this add security with basic Username / PW will take them longer to breakin.

Basic ID/PW = One day or less
Basic ID/PW + Time-out 30min or more = One week or so
Basic ID/PW + Preset time IP ban = One week or so or more

With the added security mechanism, you will have time to react to an attack. Otherwise, how do you know you are being attack when you are asleep and wake up in the morning that your server let someone in and format your whole system or plant a script / virus etc.... to attack another PC.

There are more method of prevention / security then the basic you see so far. Btw, using script like this forum to request authenicate Username / PW is just as weak as the server itself. How many time you can enter Username / PW? A "BOT" can enter the whole day without rest. Think about it.

Firewall will not help either if all the traffic are being allow to the Webserver. It will not know if being attack by "Brute Force". It will assumed those are just a normal hits / request.
_________________
CapFusion,...
Back to top View user's profile Send private message
phatbwoy
-


Joined: 21 Jun 2003
Posts: 4
Location: http://i-cool.kicks-ass.net

PostPosted: Thu Jul 24, 2003 1:31 am    Post subject: it's great protevtion Reply with quote

its real hard to get in to hack into abyss i told my brother to put a password and username on my console and i was there 3 hrs and i wasn't even close and it makes a we lil bit more secure if you change console port to some random nubers :twisted: :evil:
Back to top View user's profile Send private message Visit poster's website
CapFusion
-


Joined: 18 May 2003
Posts: 617
Location: Lost in Abyss' Dungeon

PostPosted: Thu Jul 24, 2003 7:36 pm    Post subject: Re: it's great protevtion Reply with quote

phatbwoy wrote:
its real hard to get in to hack into abyss i told my brother to put a password and username on my console and i was there 3 hrs and i wasn't even close and it makes a we lil bit more secure if you change console port to some random nubers :twisted: :evil:

If having a Router (w/NAT), it not really a big concern regarding accessing the console. The Router will drop anything that is not being forward or redirect that you have not set in. What will pass is the PC that request in the first place. So having random PORT for console is good but not really necessary.

The main concern is accessing page where you allow certain autherize user. They can use any type of mean to attack until Abyss see the correct credential. It is the same as tell your kid to be at home and wait for a password before he open the door. So anyone come to the door and knock, he will tell that person to provie a password before he open. That person can be there the whole day and randomly telling a password. Sooner or later the correct password will provided. This kid does not know better. You just tell him to wait for a correct password before open.

What happen if you tell the kid not to accept any more password after 3 try with the same person. Or have the kid peek at the doorhole-view to see who there and ignore him after 3 try.

With this kind of defense mechanism will be alot better then Username / PW.

Adding server side script regard security issue is other mean but as a general user concern maybe too complicate. By adding extra security / feature in "Access" will be making it more simple to general user.
_________________
CapFusion,...
Back to top View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> Networking Issues All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group