/etc/failures
kai at uicsrd.csrd.uiuc.edu
kai at uicsrd.csrd.uiuc.edu
Fri Dec 2 22:46:00 AEST 1988
> disabling accounts ... allows an intruder to deny service to authorized
> users by spoofing them enough times.
I used to manage a VAX VMS system, which had a better variation of this
idea. Maybe some capable wizard could add this to /bin/login.
1) If a login of a single account name at a single terminal fails 3 times in
a row within a short period of time, that account is temporarily disallowed
from logging in on that terminal.
2) If a login of a single account at multiple terminals fails 3 times in a
row, the account is temporarily disallowed from logging in at any terminal.
3) If logins of any accounts at a single terminal fails 6 times in a row,
that terminal is temporarily disabled.
The effect of a temporarily disallowed account is simply that attempts to
login with it are refused, as though the account doesn't exist. The effect
of a disabled terminal is that it provides no responce at all.
The number of times a login fails before a "breakin attempt" is logged and
action is taken is configurable, and is usually 3. The length of time that
the terminal/account is disabled is some period between 5 and 15 minutes (the
range is configurable). There is some randomness involved in choosing the
exact time, to help thwart automated login/password guessers. The time gets
longer each consecutive time a particular type of breakin is detected.
The system keeps a list of "breakin attempts" for which action is currently
being taken, and logs and/or broadcasts appropriate messages, allowing a
system or security administrator to quickly take action and/or re-enable the
account/terminal if desired.
Patrick Wolfe (pat at kai.com, kailand!pat)
System Manager, Kuck and Associates, Inc.
More information about the Comp.unix.wizards
mailing list