New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
fail2ban kick you as a mule
@KuJoe
Cant win them all.
Own sequence (special chars can also be included):
i see some including fail2ban in the template
I knew some companies who did that and I dropped them pretty quickly. Most clients praise us for our minimal templates and I feel the same way, the less "bloat" the better the VPS.
@KuJoe: Working great. Thank you!
@KuJoe i dont know if the concept is right but the "commonwealth" is the rule. Noboby wants Damian situation anymore-
This!
I always sign up with SAME default password which I have no attempt to use once I get VPS. Sharing with every WHMCS order real usable password... no thanks.
More than fu***ing up with my passwords I would appreciate if host would give me vps without default ports - so far only 2 or 3 hosts did that from all I got in last few years. I tend to reinstall every vps if isn't created instantly so that I can apply changes immediately. When host manually/delayed create vps it would be great if I would get it in shutdown state to make initial security changes after I boot it on.
@kujoe->Awesome task. Thank you.
-could- do the same thing Volumedrive does and just give one stupidly long pw, that's universal for every VD vps (lol).
But yeah, KuJoe's idea seems good. OR if it just shuffles the already given password, or adds something onto it, such as...
"$clientchosenpw = "toor"
"$newpw = $clientchosenpw + $randstr = substr(str_shuffle('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'), 0, 6);"
Also seems possible. Could also audit each chosen root password on sign up, and reject the submission if it doesnt meet password strength rules. That's one way. Just auditing every persons new machine is hard, maybe make all templates have "fail2ban" installed or something, might prevent most brute force attacks, aslong as their password isnt at the top of a list. :P
It is good idea to generate the password for the user, but then you have to send the password to the user in the VPS details email, and this will make some people go nuclear on you.
Huh? Its actually 13 days assuming 1 million hashes/second[Math] (keeping in mind that most password crackers are like 500 times faster)
just to be pedantic, str_shuffle is excluding all passwords with any doubled chars, so technically restricting the searchspace unneccessarily. But brevity may be more important than a few magnitudes
Can you see if the user has changed the password? How do you determine the 'pass'?
This happened to me, I realized it was the password that was the issue though. I think it's not the length, rather, the special characters in the password that's causing problems.
On another note, I don't like the fact that WHMCS emails me the password. Its just another opportunity for it to get stolen.
As the scope is to determine if the root password is still the same as it was when they signed up, that's actually the point of this check: "does the password work?", which gives two outcomes:
No, the password does not work = the user has changed the VPS's root password away from the password they gave at sign-up, give them a 'pass'
Yes, the password does = the user has not changed the VPS's root password away from the password they gave at sign-up, continue with the check
@Damian, I see...
Also, why the hell would WHMCS store the password in plain text?! If the company's db gets stolen, all the VPSes would be compromised.
I'm not sure what you mean.
The alternative is not telling them their password and making them guess it.
Where did you get the 16 from? Math
You were making the assumption that the hacker has my code and knows the limitations. Had I not posted it here they wouldn't know what to use (and most automated bots still won't know). That being said, if somebody was standing in front of my cabinet for 13 days I'd notice. :P
500 times faster? What kind of laptop could do that?
From your hexadecimal passwords The hacker now knows this limitation
Sorry i was wrong, for MD5s its actually 5,000 times and for SHA1 2,300 times [Source]
That doesn't look like bruteforcing though, it looks like cracking a known hash. I just realized even at 999 trillion attempts per second it won't do anything because even with physical access to my cabinet they will need to crack the root password just to start cracking the VPS password and if they have the root password then they have access to the VPS anyways.
cracking a hash == bruteforcing (in this case)
Also if anyone had physical access to your servers, they could just mount the VPS partitions or change your root password anyway.
That's the prob with whmcs. Plain text during signups for admins to see.
Anybody not using a temporary password for sign-ups is asking for trouble and not practicing best security anyways.
Exactly. So the level of security in my script is not an issue because the effort to crack it would be the same effort to steal my hard drives.
This. I always use the same password for signup, then change it via SSH with
passwd
, because I don't trust Solus for changing a password eitherfurther to what i had said...
read s'where long time back, copy-pasting from my notes for your consumption..
Modify /etc/pam.d/system-auth file.
Replace this line.
password requisite pam_cracklib.so try_first_pass retry=3
With this.
password requisite pam_cracklib.so retry=3 minlen=8 lcredit=1 ucredit=1 dcredit=1 ocredit=0
Above line will make sure that:
The four parameters "lcredit", "ucredit", "dcredit", and "ocredit" are used to set the maximum credit for lower-case, upper-case, numeric (digit), and non-alphanumeric (other) characters respectively.
Now try to login into machine with root and try to change the password.
The password matching above criteria will only be accepted otherwise you will receive following error.
passwd: Authentication token manipulation error
i have read that its easy to re-create template in SolusVM, so this solution would be good along with @Kujoe 's WHMCS random pass hack.
@Pats decent idea, but could be changed by the user. I think the WHMCS forceful password strength is much more appropriate, but adding this sort of internally, could work. How would it work however if the password did not match that rule on a OVZ installation? Would the password be rejected and forced to remake it in SolusVM?
Damn.. I really hate this! When system try to enforce me what kind of password to use. Just because someone don't use some variable it doesn't mean that have less safe passwords. Making things harder to remember is not automaticly less safe.
Mmm hmm, and this comic describes it perfectly:
I couldn't explain better why that method is not ideal than troy does here