How to secure your Linux server from pass-the-hash attacks

I was just reading this article: http://www.infoworld.com/d/security/stop-pass-the-hash-attacks-they-begin-167997?page=0,2&source=IFWNLE_nlt_daily_2011-07-26

He talks about pass-the-hash attacks and how no operating system is safe. It also includes tips on how to reduce your risk in windows but not Linux. The best solution I can think of is to use a known clean bootable usb when I need to remote in to the server. Is there anything else I can do?


Solution 1:

I would disagree with a number of the statements and implications made in that article - most of which that there's "no defense". It's a case of missing the forest for the trees.

I'd argue that if an attacker has:

  1. direct memory access on a system storing your hash, and,
  2. a platform with which to replay a hash to create a new, malicious session,

then the vector that he's worked up about really doesn't matter - it's already over, and an attacker can just as easily, say, jam a keylogger in place and get the full, pre-hashed password.

I'd also disagree with the statement that this should be mitigated by having only one "superadmin" (domain/enterprise admin) - that would be a very low bus number.


More generally, a lot of what he's talking about really is Microsoft-specific; there are absolutely authentication attack vectors against other operating systems when you have direct memory access (SSH private keys stored in agents would be the equivalent for Linux remote access, and let's not forget the frozen-RAM attack against full-disk encryption - no canned air required with direct memory access), but the NTLM hash lifting that he's specifically addressing for most of the article is a Microsoft-only thing.

The important mitigating takeaway: don't give an attacker direct memory access or root privileges.

But you knew that already.

Solution 2:

Well the attack is for Windows, if you want Linux servers secure against that attack DON'T configure samba with NT Lan Manager on them.