Date: Tue, 11 Feb 2003 06:45:55 -0800 From: David Schultz <dschultz@uclink.Berkeley.EDU> To: Dan Nelson <dnelson@allantgroup.com> Cc: Julian Elischer <julian@elischer.org>, hackers@FreeBSD.ORG, des@FreeBSD.ORG Subject: Re: Some "security" questions. Message-ID: <20030211144555.GA3846@HAL9000.homeunix.com> In-Reply-To: <20030211142247.GU5356@dan.emsphone.com> References: <Pine.BSF.4.21.0302101752500.49102-100000@InterJet.elischer.org> <20030211102730.GB2570@HAL9000.homeunix.com> <20030211142247.GU5356@dan.emsphone.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Thus spake Dan Nelson <dnelson@allantgroup.com>: > In the last episode (Feb 11), David Schultz said: > > Thus spake Julian Elischer <julian@elischer.org>: > > > Our client wants the following 'features' and we'd LIKE to be able > > > to at least say "yes we can do that", even if we can also say "but > > > we don't think it's a good idea". > > > > > > 2/ they want to disable a login if it fails 'n' sequential logins > > > anywhere in the system. i.e. 2 on one machine followed by another > > > on another machine. > > > > For #2, I'd try to convince them that their threat model is way out > > of whack and get new clients if they disagree. CapitalOne > > implemented #2 for their online credit card account management > > system, and people would launch DOS attacks as you describe by > > guessing random logins, so customer service learned to change > > peoples' passwords whenever they asked... > > Not having #2 in your internal network is a big red X on security > audits, though. Netware did this right, where 3 (configureable) > consecutive bad logins sets an intruder lockout flag, that gets cleared > after 10 (configureable) minutes. With an internal network, perhaps the DOS attack can be disregarded, but I still don't consider this to be the right approach. If you throttle the maximum allowable authentication attempt rate after an incorrect password to, say, 5 seconds, it would take an attacker 24 years to exhaust half of the possible 6-digit monocase alphabetic passwords, and many millenia to do the same for 8-digit alphanumeric passwords. (I take the former statistic to be a more realistic metric of the actual entropy in most passwords.) The attempts will show up in your audit logs in under 24 hours. There are better ways to do network intrusion detection, such as Vern Paxson's BRO. These systems detect attacks in a more general way, rather than looking specifically for online password-guessing attacks, which are rather minor threats these days. You deal with attacks by locking the attacker out of your network, rather than locking out the legitimate victim user. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030211144555.GA3846>