On Tue, 06 May 2003, Joyce, Matthew wrote: > I have seen several methods of stopping brute force password guessing attack > in the past. > > NT has lockout setting, for locking account after x number of failed logins. > I think Lotus used to extend the time between login ech failed attempt. > > Is there something similer for Debian ? The problem with locking the account out after a failed number of password attempts is that it becomes very easy to launch a sort of DOS against the machine - just try the common user names with invalid passwords 3 times (or however many times its needed to lock out). IIRC, ssh has a short delay between password checks, which is a better method, IMHO. Considering a 3 second delay, that's 20 passwds a minute, 1200 passwds an hour, or 28800 passwds a day! Sounds scary, until you realize that an 8 character alphanumeric passwd would be 2,821,109,907,456 possible combinations, not counting the difference between lowercase and uppercase letters. Pick a good password, with lower case, upper case, and numbers, make sure its not based on something that is guessable, and make sure its a decent length. Then install logcheck or the like and configure it to watch failed passwd attempts. If you're really paranoid, make ssh authenticate with a key as well as a passwd. -- ...crying "Tekeli-li! Tekeli-li!"... ~ HPL icq : 34583382 | === ascii ribbon campaign === msn : dasunt@hotmail.com | () - against html mail yim : tsunad | /\ - against proprietary attachments
Attachment:
pgphrxKvF9YI7.pgp
Description: PGP signature