Date: Tue, 11 Feb 2003 08:22:47 -0600 From: Dan Nelson <dnelson@allantgroup.com> To: David Schultz <dschultz@uclink.Berkeley.EDU> Cc: Julian Elischer <julian@elischer.org>, hackers@FreeBSD.ORG, des@FreeBSD.ORG Subject: Re: Some "security" questions. Message-ID: <20030211142247.GU5356@dan.emsphone.com> In-Reply-To: <20030211102730.GB2570@HAL9000.homeunix.com> References: <Pine.BSF.4.21.0302101752500.49102-100000@InterJet.elischer.org> <20030211102730.GB2570@HAL9000.homeunix.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In the last episode (Feb 11), David Schultz said: > Thus spake Julian Elischer <julian@elischer.org>: > > Our client wants the following 'features' and we'd LIKE to be able > > to at least say "yes we can do that", even if we can also say "but > > we don't think it's a good idea". > > > > 2/ they want to disable a login if it fails 'n' sequential logins > > anywhere in the system. i.e. 2 on one machine followed by another > > on another machine. > > For #2, I'd try to convince them that their threat model is way out > of whack and get new clients if they disagree. CapitalOne > implemented #2 for their online credit card account management > system, and people would launch DOS attacks as you describe by > guessing random logins, so customer service learned to change > peoples' passwords whenever they asked... Not having #2 in your internal network is a big red X on security audits, though. Netware did this right, where 3 (configureable) consecutive bad logins sets an intruder lockout flag, that gets cleared after 10 (configureable) minutes. -- Dan Nelson dnelson@allantgroup.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030211142247.GU5356>