RE: [suse-security] account lockout after x incorrect attempts???
I agree whole-heartedly with your point - it is a stupid, useless measure that leaves us open for major denial of service attacks... And I have stated this to 'upper IS management' - however we have been given no choice - it is 'corporate' policy - policy as usual, made by people who don't understand the technology -- and as usual, we have to live with the consequences. The SUSE secure alternative of login delays (ours set to 20 seconds) quite effectively deters brute force attacks and logging of failed login attempts with notification gives us indications when "something isn't right" - but unfortunately we don't have a say in the matter. Thanks, Eric
We have a number of SUSE 9.x workstations - and recently we've been mandated to have them adhere to a corporate IT security policy that requires account lockout after a certain number of incorrect login attempts.
....
Look for this under Bone-Headed Security.
Imagine this policy is successfully implemented. Then *anyone* could lock anyone else out of their account (aka a DOS) simply by trying to log into it. This policy opens the door to all kinds of mischief. It would even worse if it's going to be used to log in from the internet. Then you might as well give Al Qaida an on/off switch to your email system.
hth, korporal ken, civilian
This has been a terrible problem for us on aix, where failed login is set by default and there is no way to rate limit ssh flood attempts. We are forever having to unlock user accounts. On Thu, Oct 06, 2005 at 08:51:44AM -0400, Baenen Eric P Contr AFRL/HEC wrote:
I agree whole-heartedly with your point - it is a stupid, useless measure that leaves us open for major denial of service attacks... And I have stated this to 'upper IS management' - however we have been given no choice - it is 'corporate' policy - policy as usual, made by people who don't understand the technology -- and as usual, we have to live with the consequences.
The SUSE secure alternative of login delays (ours set to 20 seconds) quite effectively deters brute force attacks and logging of failed login attempts with notification gives us indications when "something isn't right" - but unfortunately we don't have a say in the matter.
Thanks,
Eric
We have a number of SUSE 9.x workstations - and recently we've been mandated to have them adhere to a corporate IT security policy that requires account lockout after a certain number of incorrect login attempts.
....
Look for this under Bone-Headed Security.
Imagine this policy is successfully implemented. Then *anyone* could lock anyone else out of their account (aka a DOS) simply by trying to log into it. This policy opens the door to all kinds of mischief. It would even worse if it's going to be used to log in from the internet. Then you might as well give Al Qaida an on/off switch to your email system.
hth, korporal ken, civilian
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- -ashley Did you try poking at it with a stick?
Baenen Eric P Contr AFRL/HEC wrote:
The SUSE secure alternative of login delays (ours set to 20 seconds) quite effectively deters brute force attacks and logging of failed login attempts with notification gives us indications when "something isn't right" - but unfortunately we don't have a say in the matter.
Did 'management' say how *long* the lockout had to be? The 20 second delay could be characterized as a very brief "lockout". If they don't like that, then change the number to 20 minutes, or 20 years if they really insist. Better yet would be if the delay grew exponentially with each failure. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com
participants (3)
-
Ashley Gould -
Baenen Eric P Contr AFRL/HEC -
Crispin Cowan