Mailinglist Archive: opensuse-security (232 mails)

< Previous Next >
RE: [suse-security] account lockout after x incorrect attempts???
  • From: Baenen Eric P Contr AFRL/HEC <Eric.Baenen@xxxxxxxxxxxx>
  • Date: Thu, 6 Oct 2005 08:51:44 -0400
  • Message-id: <53689306F895574497F51E0CA8679B47A9B519@xxxxxxxxxxxxxxxxxxxxx>

I agree whole-heartedly with your point - it is a stupid, useless measure
that leaves us open for major denial of service attacks... And I have stated
this to 'upper IS management' - however we have been given no choice - it is
'corporate' policy - policy as usual, made by people who don't understand
the technology -- and as usual, we have to live with the consequences.

The SUSE secure alternative of login delays (ours set to 20 seconds) quite
effectively deters brute force attacks and logging of failed login attempts
with notification gives us indications when "something isn't right" - but
unfortunately we don't have a say in the matter.

Thanks,

Eric

> > We have a number of SUSE 9.x workstations - and recently we've been
> > mandated to have them adhere to a corporate IT security policy that
> > requires account lockout after a certain number of incorrect login
> > attempts.
> >
> > ....
>
> Look for this under Bone-Headed Security.
>
> Imagine this policy is successfully implemented. Then
> *anyone* could lock anyone else out of their account (aka a
> DOS) simply by trying to log into it. This policy opens the
> door to all kinds of mischief. It would even worse if it's
> going to be used to log in from the internet.
> Then you might as well give Al Qaida an on/off switch to your
> email system.
>
>
> hth,
> korporal ken, civilian

< Previous Next >