Tim: >> Really, what ought to get tightened up is the software accepting >> logons. There should be a limited number of attempts (3 goes and your >> out for a significant time limit). Any system that lets a cracker >> hammer away with repeated attempts is the thing that is broken. stan: > I don't think it has to be as low as 3. It could be 100 or 1000, a > restriction that a human will never hit, but a cracking program will > hit almost immediately. Three seems to be a common threshold, but I agree that it could be set higher for those reasons. I know that I've mistyped things three times in a row, and when you can't see what you're typing, it's easy to not notice you've made a mistake. Like you, I imagine a cracking attempt is going to try more than a person would. > This makes it easy to separate attackers from legitimate users, and > take appropriate action against the attackers. Ban their IP address? > Notify their ISP? Track their botnet and disable it? I'm not sure > there are effective defenses. > > An alternative is to look for frequency of login attempts. More than 1 > every second implies a bot, not a human. Again, I agree. It's not too hard for a person to make that kind of judgement call about what's a cracking attempt versus a human trying to deal with a poor interface, so it ought to be a programmable solution, too. I think you'd first want to block the source from further attempts. If multiple sources are trying, you know it's a crack attempt. No real user could be doing that. You could try banning all cracking sources, but if they're a zombied army of bots, you could be banning genuine users of your service who've no idea they're using a compromised computer. So the idea of notifying their ISP has merit, on a number of fronts (ISP can tell the user they need to fix up their PC, ISP can take action to check if their users are indulging in organised hacking, etc). Though there's still the problem of reporting things to ISPs that are a problem, in themselves. In my early days of using the net, I'd occasionally make a report to an ISP about spam from one of their users, only to get a bucketload more spam straight away. It was obvious that the ISP itself, or one of their staff, was involved in spamming; or they stupidly inform their user about the complaint, naming where the complaint came from. Either way, making a complaint was actually worse than useless. -- [tim@localhost ~]$ uname -rsvp Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 (always current details of the computer that I'm writing this email on) Boilerplate: All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I only get to see the messages posted to the mailing list. Next time your service provider asks you to reboot your equipment, ask them to reboot theirs, first. _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
