From owner-freebsd-hackers  Tue Feb 11  6:22:52 2003
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 4C33037B401; Tue, 11 Feb 2003 06:22:51 -0800 (PST)
Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 77AD243FAF; Tue, 11 Feb 2003 06:22:50 -0800 (PST)
	(envelope-from dan@dan.emsphone.com)
Received: (from dan@localhost)
	by dan.emsphone.com (8.12.6/8.12.6) id h1BEMlfq095255;
	Tue, 11 Feb 2003 08:22:47 -0600 (CST)
	(envelope-from dan)
Date: Tue, 11 Feb 2003 08:22:47 -0600
From: Dan Nelson <dnelson@allantgroup.com>
To: David Schultz <dschultz@uclink.Berkeley.EDU>
Cc: Julian Elischer <julian@elischer.org>, hackers@FreeBSD.ORG,
	des@FreeBSD.ORG
Subject: Re: Some "security" questions.
Message-ID: <20030211142247.GU5356@dan.emsphone.com>
References: <Pine.BSF.4.21.0302101752500.49102-100000@InterJet.elischer.org> <20030211102730.GB2570@HAL9000.homeunix.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20030211102730.GB2570@HAL9000.homeunix.com>
X-OS: FreeBSD 5.0-CURRENT
X-message-flag: Outlook Error
User-Agent: Mutt/1.5.3i
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

In the last episode (Feb 11), David Schultz said:
> Thus spake Julian Elischer <julian@elischer.org>:
> > Our client wants the following 'features' and we'd LIKE to be able
> > to at least say "yes we can do that", even if we can also say "but
> > we don't think it's a good idea".
> > 
> > 2/ they want to disable a login if it fails 'n' sequential logins
> > anywhere in the system. i.e. 2 on one machine followed by another
> > on another machine.
> 
> For #2, I'd try to convince them that their threat model is way out
> of whack and get new clients if they disagree.  CapitalOne
> implemented #2 for their online credit card account management
> system, and people would launch DOS attacks as you describe by
> guessing random logins, so customer service learned to change
> peoples' passwords whenever they asked...

Not having #2 in your internal network is a big red X on security
audits, though.  Netware did this right, where 3 (configureable)
consecutive bad logins sets an intruder lockout flag, that gets cleared
after 10 (configureable) minutes.

-- 
	Dan Nelson
	dnelson@allantgroup.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message