Mailinglist Archive: opensuse-security (232 mails)

< Previous Next >
Re: [suse-security] account lockout after x incorrect attempts???
  • From: Ashley Gould <agould@xxxxxxxx>
  • Date: Thu, 6 Oct 2005 08:38:12 -0700
  • Message-id: <20051006153812.GT9356@xxxxxxxx>
This has been a terrible problem for us on aix, where failed login is
set by default and there is no way to rate limit ssh flood attempts. We are
forever having to unlock user accounts.


On Thu, Oct 06, 2005 at 08:51:44AM -0400, Baenen Eric P Contr AFRL/HEC wrote:
>
> I agree whole-heartedly with your point - it is a stupid, useless measure
> that leaves us open for major denial of service attacks... And I have stated
> this to 'upper IS management' - however we have been given no choice - it is
> 'corporate' policy - policy as usual, made by people who don't understand
> the technology -- and as usual, we have to live with the consequences.
>
> The SUSE secure alternative of login delays (ours set to 20 seconds) quite
> effectively deters brute force attacks and logging of failed login attempts
> with notification gives us indications when "something isn't right" - but
> unfortunately we don't have a say in the matter.
>
> Thanks,
>
> Eric
>
> > > We have a number of SUSE 9.x workstations - and recently we've been
> > > mandated to have them adhere to a corporate IT security policy that
> > > requires account lockout after a certain number of incorrect login
> > > attempts.
> > >
> > > ....
> >
> > Look for this under Bone-Headed Security.
> >
> > Imagine this policy is successfully implemented. Then
> > *anyone* could lock anyone else out of their account (aka a
> > DOS) simply by trying to log into it. This policy opens the
> > door to all kinds of mischief. It would even worse if it's
> > going to be used to log in from the internet.
> > Then you might as well give Al Qaida an on/off switch to your
> > email system.
> >
> >
> > hth,
> > korporal ken, civilian
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
>

--

-ashley

Did you try poking at it with a stick?


< Previous Next >