* Craig James (cjames@xxxxxxxxxxxxxx) wrote: > A far better approach is an escalating delay. Check the number of failed > login attempts N and delay (for example) N^2 seconds before responding > again. Legitimate users are mildly inconvenienced, and hackers are > severely hampered. Sadly, in certain environments (US Federal organizations which are required to follow FISMA), a lock-after-X-attempts control is required. We dealt with this by utilizing the PAM authentication method with pam_tally. It's kind of ugly, but it can be made to work. Other alternatives are using Kerberos or Certificate-based authentication where the user has to acquire initial credenials through some other mechanism and then those have a limited time of usefulness (eg: Kerberos tickets only last 10 hours). By using those credentials instead of having database-based password requirements, you can avoid the entire problem (along with password ageing, etc..). Thanks, Stephen
Attachment:
signature.asc
Description: Digital signature
