View previous topic :: View next topic |
Author |
Message |
CapFusion -
Joined: 18 May 2003 Posts: 617 Location: Lost in Abyss' Dungeon
|
Posted: Sat May 24, 2003 1:01 am Post subject: Brute Hacking |
|
|
Aprelium,
Do you have a patch or something in at-work to prevent "Brute Force" Hacking? 8O Or some temperary measure for this? I think it take about 30 or so minute for to hack in with "Brute Force" method by my old XT system with just a simple Username / Password [5 characters]. 8O To me, this is scary. _________________ CapFusion,... |
|
Back to top |
|
|
aprelium -
Joined: 22 Mar 2002 Posts: 6800
|
Posted: Sat May 24, 2003 1:42 am Post subject: Re: Brute Hacking |
|
|
CapFusion wrote: | Aprelium,
Do you have a patch or something in at-work to prevent "Brute Force" Hacking? 8O Or some temperary measure for this? I think it take about 30 or so minute for to hack in with "Brute Force" method by my old XT system with just a simple Username / Password [5 characters]. 8O To me, this is scary. |
Setting a "hard" password is your responsibility. We cannot do that for the user. There are a lot of guidelines to set a strong passwrod available on the web. As a general rule, mix digits, symbols, and letters and avoid using dictionnary words. _________________ Support Team
Aprelium - http://www.aprelium.com |
|
Back to top |
|
|
CapFusion -
Joined: 18 May 2003 Posts: 617 Location: Lost in Abyss' Dungeon
|
Posted: Sun May 25, 2003 4:33 am Post subject: |
|
|
Quote: | Setting a "hard" password is your responsibility. We cannot do that for the user. There are a lot of guidelines to set a strong passwrod available on the web. As a general rule, mix digits, symbols, and letters and avoid using dictionnary words. |
Setting "Hard" password is the user responsibility but setting "HARD" password STILL will not be ENOUGH. I can set over 20 character with number with character will STILL break in. Setting or implementing better security is not part of the user responsibility. Setting up proper security should be The HIGHEST issue. I believed everyone at mininum will agree. It should not plainly under look or under estimate this tissue.
Minor comment:
I would not like to see your product to become critized like Microsoft. Your product seem to be comment on positive note. Abyss as a "Web Server" is consider as communication / networking product, without strong security implemenation, user security will be as greater risk.... espeically for those that lack of security knowledge. Would it be the same like a porache with a yugo engine? Surely it can go point A to point B like any other car but atleast would like to be able to climb a very small hill. Abyss would be like any other free weak security web werver.
Take Microsoft Internet Explorer for an example, it is free like Abyss but have ton of security issue. Do you want to see Abyss in the same field like Internet Explorer or IIS for that matter? Once user have less faith in your product, Abyss would have tougher time rebuilding it impeccable image.
Please reconsider your answer. LIke I state earlier in this message. I can have enter 20 AlphaNumeric but my old XT will not stop trying to break-in by "Brute Force".
Please atleast consider "Three Attempt" and "IP Ban" at certain preset time. _________________ CapFusion,... |
|
Back to top |
|
|
aprelium -
Joined: 22 Mar 2002 Posts: 6800
|
Posted: Sun May 25, 2003 7:31 pm Post subject: |
|
|
CapFusion,
We thank you for your comments. Security issues have already been discussed in other topics and we are working on new features to improve it. We cannot say more on that forum but we invite you to test the future versions when they'll be released.
By the way, Apache, IIS and other web servers have the same password protection mechanism which is described in the HTTP protocol. They do not provide more security than we ofger. So do not feel that Abyss is doing wrong just because it's not as famous as IIS or Apache. _________________ Support Team
Aprelium - http://www.aprelium.com |
|
Back to top |
|
|
Frank -
Joined: 27 Oct 2002 Posts: 15 Location: The Netherlands
|
Posted: Fri Jun 20, 2003 2:07 pm Post subject: Password security |
|
|
:( I have to dissagree with you, wher eit concersn password security compared to apache: Although i'd prefer Abyss as my main server for password protection, Apache has an option for password = digest, or so, which means that only log-in names and passwords are encrypted with MD5 I believe. This would be nice for Abyss too, don't you think ?
Frank _________________ He who thinks to know little, knows much already. |
|
Back to top |
|
|
Gatewayy -
Joined: 15 Mar 2003 Posts: 109
|
Posted: Fri Jun 20, 2003 5:10 pm Post subject: Re: Brute Hacking |
|
|
aprelium wrote: | CapFusion wrote: | Aprelium,
Do you have a patch or something in at-work to prevent "Brute Force" Hacking? 8O Or some temperary measure for this? I think it take about 30 or so minute for to hack in with "Brute Force" method by my old XT system with just a simple Username / Password [5 characters]. 8O To me, this is scary. |
Setting a "hard" password is your responsibility. We cannot do that for the user. There are a lot of guidelines to set a strong passwrod available on the web. As a general rule, mix digits, symbols, and letters and avoid using dictionnary words. |
I'm sorry but I have to totally agree with Aprellium here. The most secure software in the world still wont protect you if you use an insecure password. On another note there is no way to absolutley protect yourself from being hacked. If you one wants to and has enough time they will always get in no matter what you do. _________________ -=Gatewayy=-
My Abyss site!
http://crashhappy.gatewayy.net |
|
Back to top |
|
|
CapFusion -
Joined: 18 May 2003 Posts: 617 Location: Lost in Abyss' Dungeon
|
Posted: Fri Jun 20, 2003 6:16 pm Post subject: |
|
|
Quote: | I'm sorry but I have to totally agree with Aprellium here. The most secure software in the world still wont protect you if you use an insecure password. On another note there is no way to absolutley protect yourself from being hacked. If you one wants to and has enough time they will always get in no matter what you do. |
Abyss security consider as an entire level protection. You will need to implement some third party device for protection. You can not rely on Abyss Username / PW for prevention.
I can not imagine using Abyss as an enterprise webserer but ok for personal use ONLY. I am not sure what else will be use for.... maybe SOHO? _________________ CapFusion,... |
|
Back to top |
|
|
aprelium -
Joined: 22 Mar 2002 Posts: 6800
|
Posted: Mon Jun 23, 2003 10:42 pm Post subject: |
|
|
It's easy to believe people saying that a method is "secure". Digest authentication are more secure than Basic authentication when it comes to man in middle attacks (someone that sniffs packets between the server and the client and tries to replay the sequence later).
But digest authetication is as weak as basic when you do a brute force attack. _________________ Support Team
Aprelium - http://www.aprelium.com |
|
Back to top |
|
|
CapFusion -
Joined: 18 May 2003 Posts: 617 Location: Lost in Abyss' Dungeon
|
Posted: Tue Jun 24, 2003 6:12 pm Post subject: |
|
|
aprelium wrote: | It's easy to believe people saying that a method is "secure". Digest authentication are more secure than Basic authentication when it comes to man in middle attacks (someone that sniffs packets between the server and the client and tries to replay the sequence later).
But digest authetication is as weak as basic when you do a brute force attack. |
Humm, I see both as basically the same thing. Reason for that is simple. When server keep on accepting input until the correct information, this can lead to breakin. The server does not know when to stop or reject connection or even time-out. That is the main reason this kind of security is so bad, especially non-experience hacker or wanabe. The server is very vulnerable to attack by anyone.
The need for add to security for like - Time-out / Preset try / Preset IP ban time-out ... etc.... With this add security with basic Username / PW will take them longer to breakin.
Basic ID/PW = One day or less
Basic ID/PW + Time-out 30min or more = One week or so
Basic ID/PW + Preset time IP ban = One week or so or more
With the added security mechanism, you will have time to react to an attack. Otherwise, how do you know you are being attack when you are asleep and wake up in the morning that your server let someone in and format your whole system or plant a script / virus etc.... to attack another PC.
There are more method of prevention / security then the basic you see so far. Btw, using script like this forum to request authenicate Username / PW is just as weak as the server itself. How many time you can enter Username / PW? A "BOT" can enter the whole day without rest. Think about it.
Firewall will not help either if all the traffic are being allow to the Webserver. It will not know if being attack by "Brute Force". It will assumed those are just a normal hits / request. _________________ CapFusion,... |
|
Back to top |
|
|
phatbwoy -
Joined: 21 Jun 2003 Posts: 4 Location: http://i-cool.kicks-ass.net
|
Posted: Thu Jul 24, 2003 1:31 am Post subject: it's great protevtion |
|
|
its real hard to get in to hack into abyss i told my brother to put a password and username on my console and i was there 3 hrs and i wasn't even close and it makes a we lil bit more secure if you change console port to some random nubers :twisted: :evil: |
|
Back to top |
|
|
CapFusion -
Joined: 18 May 2003 Posts: 617 Location: Lost in Abyss' Dungeon
|
Posted: Thu Jul 24, 2003 7:36 pm Post subject: Re: it's great protevtion |
|
|
phatbwoy wrote: | its real hard to get in to hack into abyss i told my brother to put a password and username on my console and i was there 3 hrs and i wasn't even close and it makes a we lil bit more secure if you change console port to some random nubers :twisted: :evil: |
If having a Router (w/NAT), it not really a big concern regarding accessing the console. The Router will drop anything that is not being forward or redirect that you have not set in. What will pass is the PC that request in the first place. So having random PORT for console is good but not really necessary.
The main concern is accessing page where you allow certain autherize user. They can use any type of mean to attack until Abyss see the correct credential. It is the same as tell your kid to be at home and wait for a password before he open the door. So anyone come to the door and knock, he will tell that person to provie a password before he open. That person can be there the whole day and randomly telling a password. Sooner or later the correct password will provided. This kid does not know better. You just tell him to wait for a correct password before open.
What happen if you tell the kid not to accept any more password after 3 try with the same person. Or have the kid peek at the doorhole-view to see who there and ignore him after 3 try.
With this kind of defense mechanism will be alot better then Username / PW.
Adding server side script regard security issue is other mean but as a general user concern maybe too complicate. By adding extra security / feature in "Access" will be making it more simple to general user. _________________ CapFusion,... |
|
Back to top |
|
|
|