web-security methods, advice please!
Christopher Browne
cbbrowne-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Tue Jan 2 19:38:23 UTC 2007
On 1/2/07, Sy Ali <sy1234-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> wrote:
> On 1/2/07, Madison Kelly <linux-5ZoueyuiTZhBDgjK7y7TUQ at public.gmane.org> wrote:
> > The idea, as I understood it, was to force a brute-force attach to try
> > X-number of hashes per password, slowing down a brute-force attack to
> > about 1 password/second. It may be overkill though, specially because of
> > the server-side CPU resources required...
>
> I'm confused.. why not implement this idea server-side.. to
> automatically delay multiple password attempts?
>
> Or better yet.. five password failures locks an IP out for x hours and
> logs the event.
>
> Perhaps these ideas would help against the brute force worries.
Throw in with this...
Any time a password failure is detected for a particular IP, delay for
somewhat increasing periods of time before releasing the connection,
as well as before responding to new connections from that IP.
Every time there's a failure, the delays increase [somewhat
exponentially]; success drops it back to 0...
--
http://linuxfinances.info/info/linuxdistributions.html
"... memory leaks are quite acceptable in many applications ..."
(Bjarne Stroustrup, The Design and Evolution of C++, page 220)
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list