On Mon, 19 Jun 2017 12:51:30 +0930 Tim <ignored_mailbox@xxxxxxxxxxxx> wrote: > Really, what ought to get tightened up is the software accepting > logons. There should be a limited number of attempts (3 goes and your > out for a significant time limit). Any system that lets a cracker > hammer away with repeated attempts is the thing that is broken. I don't think it has to be as low as 3. It could be 100 or 1000, a restriction that a human will never hit, but a cracking program will hit almost immediately. This makes it easy to separate attackers from legitimate users, and take appropriate action against the attackers. Ban their IP address? Notify their ISP? Track their botnet and disable it? I'm not sure there are effective defenses. An alternative is to look for frequency of login attempts. More than 1 every second implies a bot, not a human. _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
