web-security methods, advice please!
Madison Kelly
linux-5ZoueyuiTZhBDgjK7y7TUQ at public.gmane.org
Wed Jan 3 03:09:58 UTC 2007
Christopher Browne wrote:
> On 1/2/07, Sy Ali <sy1234-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> wrote:
>> On 1/2/07, Madison Kelly <linux-5ZoueyuiTZhBDgjK7y7TUQ at public.gmane.org> wrote:
>> > The idea, as I understood it, was to force a brute-force attach to try
>> > X-number of hashes per password, slowing down a brute-force attack to
>> > about 1 password/second. It may be overkill though, specially
>> because of
>> > the server-side CPU resources required...
>>
>> I'm confused.. why not implement this idea server-side.. to
>> automatically delay multiple password attempts?
>>
>> Or better yet.. five password failures locks an IP out for x hours and
>> logs the event.
>>
>> Perhaps these ideas would help against the brute force worries.
>
> Throw in with this...
>
> Any time a password failure is detected for a particular IP, delay for
> somewhat increasing periods of time before releasing the connection,
> as well as before responding to new connections from that IP.
>
> Every time there's a failure, the delays increase [somewhat
> exponentially]; success drops it back to 0...
Very smart, and will be done. Thanks!
Madi
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list