Searching for a Sys admin !

[PoluxKing]

Hello guys ! Tday me and my team are searching for a system administrator!We are searching for a owner.. We are a team of 4 people... And we just need a sys admin to finish our server. We have all the pl evrything... I normally never ask for free services but we are looking for someone who would be dedicated to the server. That's why he would get owner and some mulla once the server is on (1 week)

Sorry for my english i'm french

 

[Fire]

It's best practice to use SSH keys. It completely stops people brute forcing a password.

Computers are getting faster. If you get those computers into a network, where they work together to brute (sort of like a conversation: "Hey, Brute-B, you start with B, I'll start with A!"), bruting can become a lot quicker.

If your opinion is not the same as the majority on things like this, it's highly likely you are wrong. If you think otherwise, prepare a massive paper explaining why everyone else is wrong.

Technology is advancing yes, but are you seriously going to tell me, that my 16 char password is unsafe? There are 1,255,364,390,592,742,900,000,000,000,000 combinations.

Lets way over excaudate and say I could brute force at 1 million combinations per second.

Lets take Moore's Law, that computing speeds double over two years. Its currently 2016. So lets say I still have and care about the server in 2100. (Ill be 102 then)

By 2020 that's: 4,000,000 per second.
By 2050 that's: 131,072,000,000 per second.
By 2100 that's: 4,398,046,511,104,000,000 per second.

So if computers now could try 1 million passwords per second, (which they cant) then a computer made in 2100 would take 285,436,815,509 seconds to crack it (9,051 years). So the argument of computers getting faster is invalid.

If you're really that worried someone is going to get 100's of PC's to try and brute force your Minecraft server. Then just install fail2ban. Still not really needed, but less of a pain than SSH keys. Then the attacker would need more proxies than there are IP addresses to brute force that password.

If using an SSH key, helps you sleep at night then that's fine. But for Minecraft servers, its adding more complexity to something that's already secure enough. But you wont see it that way. After all, the more you do, the longer it takes you and you get paid hourly. So everyone believing they need all this security works out quite profitably.

This is why people hire me. I'm a bit of fun, and don't charge them for things they don't need.

 

[Samuel]

Technology is advancing yes, but are you seriously going to tell me, that my 16 char password is unsafe? There are 1,255,364,390,592,742,900,000,000,000,000 combinations.

Lets way over excaudate and say I could brute force at 1 million combinations per second.

Lets take Moore's Law, that computing speeds double over two years. Its currently 2016. So lets say I still have and care about the server in 2100. (Ill be 102 then)

By 2020 that's: 4,000,000 per second.
By 2050 that's: 131,072,000,000 per second.
By 2100 that's: 4,398,046,511,104,000,000 per second.

So if computers now could try 1 million passwords per second, (which they cant) then a computer made in 2100 would take 285,436,815,509 seconds to crack it (9,051 years). So the argument of computers getting faster is invalid.

If you're really that worried someone is going to get 100's of PC's to try and brute force your Minecraft server. Then just install fail2ban. Still not really needed, but less of a pain than SSH keys. Then the attacker would need more proxies than there are IP addresses to brute force that password.

If using an SSH key, helps you sleep at night then that's fine. But for Minecraft servers, its adding more complexity to something that's already secure enough. But you wont see it that way. After all, the more you do, the longer it takes you and you get paid hourly. So everyone believing they need all this security works out quite profitably.

This is why people hire me. I'm a bit of fun, and don't charge them for things they don't need.

The problem with your 16 character password is that it's usually one generated with a limited amount of characters. If someone finds out what you used to generate it, then the options are considerably less.

Other than that, if the password choice is left to decide by the client, then they are more than likely to have something guessable.

Sure, it's unlikely that people will guess it, but we don't know when these magical super computers will be accessed by the public/governments in corrupt countries. They have considerable amounts of money, and considerable chances of cracking a 16 character password that was likely generated with something.

Also, not many people care what the contents of your servers are. That's the reason why people are constantly getting bruted, even when you get a nice and shiny new IP block. Being a Minecraft server makes no difference.

Again, it's highly unlikely anyone will break in with a good password, however there is still a chance - especially if someone can cause mass drama.

Google uses SSH keys.
Amazon uses SSH keys.
Data centres all usually recommend SSH keys.
Large hosting companies encourage the use of SSH keys.

There is a reason. SSH keys are less crackable than any 16 character password you could come up with. Sure though, go against the majority, but you're doing it just to be different and because you have doubts that people will crack your password. I will continue to ensure complete security on client servers. I ensure that clients of mine don't have to worry about changing a password every few months/years, or worry about computers getting faster and faster each year (especially with the rate that graphics cards are getting better - also being used for bruting).

Oh, and I don't charge for the SSH key thing. I include it with all of my services as a courtesy.

 

[Fire]

The problem with your 16 character password is that it's usually one generated with a limited amount of characters. If someone finds out what you used to generate it, then the options are considerably less.

12 of them are unique, and how is anyone going to go about finding which chars I use for my password? And I mean practically, not sneaking into my house and installing keylogers. Its got symbols, numbers, upper and lower case chars.

Other than that, if the password choice is left to decide by the client, then they are more than likely to have something guessable.

That I can agree on. One person I worked with a while back, used their server name as their root password.

Sure, it's unlikely that people will guess it, but we don't know when these magical super computers will be accessed by the public/governments in corrupt countries. They have considerable amounts of money, and considerable chances of cracking a 16 character password that was likely generated with something.

Also, not many people care what the contents of your servers are. That's the reason why people are constantly getting bruted, even when you get a nice and shiny new IP block. Being a Minecraft server makes no difference.

Again, it's highly unlikely anyone will break in with a good password, however there is still a chance - especially if someone can cause mass drama.

As for supercomputers the one from 2100 was proven to be just as useless as computers from now. Though that's not considering quantum computers, though SSH password cracking would be more a network thing, so I'm not entirely sure there.

People will randomly brute force servers. Mine has a few times, but to no avail. Brute forcing a password with no idea what you might find. Its time consuming and not very practical. They will likely use a beefy password list, as long as its not on there its fine. Which I would like to hope people can set a decent one that wont be.

Google uses SSH keys.
Amazon uses SSH keys.
Data centres all usually recommend SSH keys.
Large hosting companies encourage the use of SSH keys.

Companies like Google and Amazon are targets. I could try and crack the password for someone's Minecraft dedi and hold them to ransom for a few hundred dollars with their server files. Or use that same power to crack Google, where the yield would be billions. In those cases I would support the usage of SSH keys, since they are likely to come under a sophisticated targeted attack, and could do with protection against that.

graphics cards are getting better - also being used for bruting

They mostly do hash computation. Rather than spamming a server with requests. So I'm not sure they would be much use. Though I could always use them to play Minecraft in shaders, while I wait an eternity for the password to crack?

Personally I see it as over kill and just not needed. It would be like me requesting a vault be built under my house, to store less than $100 worth of stuff. When all I needed was a basic burglar alarm. Since no one is going to make the effort to break in anyway.

Though if it makes people feel safe, then that's fine. I guess we can just agree to disagree.

 

[Samuel]

12 of them are unique, and how is anyone going to go about finding which chars I use for my password? And I mean practically, not sneaking into my house and installing keylogers. Its got symbols, numbers, upper and lower case chars.

If you use a password manager, or a specific website that can be found out, then they can just take all the characters available on those things to limit just to them. Still a lot of characters, but considerably less.

That I can agree on. One person I worked with a while back, used their server name as their root password.

Key files prevent this human error.

As for supercomputers the one from 2100 was proven to be just as useless as computers from now. Though that's not considering quantum computers, though SSH password cracking would be more a network thing, so I'm not entirely sure there.

People will randomly brute force servers. Mine has a few times, but to no avail. Brute forcing a password with no idea what you might find. Its time consuming and not very practical. They will likely use a beefy password list, as long as its not on there its fine. Which I would like to hope people can set a decent one that wont be.

Sorry, I was referring to quantum computers. Fucked up my phrasing.

Companies like Google and Amazon are targets. I could try and crack the password for someone's Minecraft dedi and hold them to ransom for a few hundred dollars with their server files. Or use that same power to crack Google, where the yield would be billions. In those cases I would support the usage of SSH keys, since they are likely to come under a sophisticated targeted attack, and could do with protection against that.

People use sophisticated, randomly targeted, attacks to build their botnets. Botnets are good money makers.

They mostly do hash computation. Rather than spamming a server with requests. So I'm not sure they would be much use. Though I could always use them to play Minecraft in shaders, while I wait an eternity for the password to crack?

Personally I see it as over kill and just not needed. It would be like me requesting a vault be built under my house, to store less than $100 worth of stuff. When all I needed was a basic burglar alarm. Since no one is going to make the effort to break in anyway.

Sorry, I should've gone into my point more there. I was flicking between messages and this. My point there was supposed to be something along these lines:

If someone were to get the password hashes for your server, they could use a massive server farm to attempt to, as you said, compute the hashes.

Though if it makes people feel safe, then that's fine. I guess we can just agree to disagree.

Discussions are always useful. That's how humans expand their knowledge and become more open minded.

 

[to_er]

People use sophisticated, randomly targeted, attacks to build their botnets. Botnets are good money makers.

Indeed, these attacks are insanely common(https://blog.sucuri.net/2016/09/ssh-brute-force-compromises-leading-to-ddos.html) . But most of them tries to bruteforce only the most commonly used usernames -- so just disabling root login and setting up a long random password does help.

 

[Samuel]

Indeed, these attacks are insanely common(https://blog.sucuri.net/2016/09/ssh-brute-force-compromises-leading-to-ddos.html) . But most of them tries to bruteforce only the most commonly used usernames -- so just disabling root login and setting up a long random password does help.

We never mentioned disabling root

 

[to_er]

We never mentioned disabling root

That was fast! TL;DR I thought this subject might have been mentioned by someone on this thread.