Lew Wolfgang wrote:
On 3/5/21 8:36 AM, Per Jessen wrote:
L A Walsh wrote:
On 2021/03/02 23:05, Per Jessen wrote:
Today it is slow, thorough, distributed - maybe 50 machines slowly trying out passwords, once a minute, one machine after the other. Such slow, patient attacks usually don't trigger any traps or fail2ban.
Today or rather from about five or more years ago, most sensitive institutions give about 3 invalid password attempts against an account and then lock the account, requiring a call to support with your personally identifying info.
Seems like that would stop such attacks as the trigger is any 3 bad attempts and then the account is locked, no? I'm not sure if I would even contemplate disabling a Linux user account based on 3 bad attempts.
Others do.
I just foresee the situation where and 'admin' account is locked out and support has gone home for the weekend.
Also, Smartcards will lock themselves after three failed pin attempts, requiring that the card be brought to a facility to unlock it after the bearer proves who they are.
Yes, much the same with mobile phones, but that is another level of security. Besides, with public key auth, why bother? -- Per Jessen, Zürich (4.0°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland.