L A Walsh wrote:
On 2021/03/05 08:58, jdd@dodin.org wrote:
Le 05/03/2021 à 17:36, Per Jessen a écrit :
I'm not sure if I would even contemplate disabling a Linux user account based on 3 bad attempts.
possible if the login is a private long thing, where it's unlikely it can be found, else any attempt by a non authorized user lock out the real user
----
The financial institutions really don't seem to have a problem with some random hacker trying to DOS all their customers. Maybe they have other policies in place to detect and block such attempts.
A DOS attack is something else ?
Note these are web-logins/password, not ones where they can hammer a specific port.
It's a bit harder to automate a web-account password when you have to remember your secure picture and answer one of your secret questions in addition to the password.
Instead of locking you out, it might simply force you to re-enter your some account information -- like 3 attempts on an ssh password, and you have to login to the web-access page and identify your secure picture after receiving a 1-time code at your local email address.
Is there a reason public key auth isn't good enough?
======== On 2021/03/05 09:10, Per Jessen wrote: I just foresee the situation where and 'admin' account is locked out and support has gone home for the weekend. ---
First thing -- the institutions/organizations that have such security measures have teams answering phones 24/7, holidays included.
So why are we talking about here on this list?
There are no weekends. Second thing -- as for someone having their admin account open to password cracking facing the web -- that shouldn't happen to begin
We were not talking about the web, but about ssh. -- Per Jessen, Zürich (4.1°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland.