On Tue, 06 May 2003, Joyce, Matthew wrote:
> I have seen several methods of stopping brute force password guessing attack
> in the past.
>
> NT has lockout setting, for locking account after x number of failed logins.
> I think Lotus used to extend the time between login ech failed attempt.
>
> Is there something similer for Debian ?
The problem with locking the account out after a failed number of
password attempts is that it becomes very easy to launch a sort of
DOS against the machine - just try the common user names with invalid
passwords 3 times (or however many times its needed to lock out).
IIRC, ssh has a short delay between password checks, which is a better
method, IMHO. Considering a 3 second delay, that's 20 passwds a
minute, 1200 passwds an hour, or 28800 passwds a day! Sounds scary,
until you realize that an 8 character alphanumeric passwd would be
2,821,109,907,456 possible combinations, not counting the difference
between lowercase and uppercase letters.
Pick a good password, with lower case, upper case, and numbers, make
sure its not based on something that is guessable, and make sure its a
decent length. Then install logcheck or the like and configure it to
watch failed passwd attempts. If you're really paranoid, make ssh
authenticate with a key as well as a passwd.
--
...crying "Tekeli-li! Tekeli-li!"... ~ HPL
icq : 34583382 | === ascii ribbon campaign ===
msn : dasunt@hotmail.com | () - against html mail
yim : tsunad | /\ - against proprietary attachments
Attachment:
pgphrxKvF9YI7.pgp
Description: PGP signature