It is currently Mon, 18 Nov 2019 22:23:26 GMT



 
Author Message
 Need to lock users login after 3 failed attempts

Hi,

Does anyone no of a version of the login program that will simply lock
the users account after three failed login attempts?  We are currently
using a security program, but since this is all we use it for, it
would be simpler to just use a modified login program.  I thought I
had found it with logdaemon package since it claims "fascist login
procedures" but I guess it is for logging not logging in as it
compiled fine under Sun 2.5.1 and does not log me out after any number
of failed attempts.  So: any ideas for other programs or did I compile
logdeamon wrong?

thanks



 Fri, 12 Nov 1999 03:00:00 GMT   
 Need to lock users login after 3 failed attempts

Probably a bad idea: how does one prevent a denial of services attack
thereby causing all users a outsider knows about being locked out due
to excessive password attempts.



 Sat, 13 Nov 1999 03:00:00 GMT   
 Need to lock users login after 3 failed attempts

: In article <338a1ad0.20070...@nntp1.wellsfargo.com>, a...@well.com wrote:
: >Hi,
: >
: >Does anyone no of a version of the login program that will simply lock
: >the users account after three failed login attempts?  We are currently
: >using a security program, but since this is all we use it for, it
: >would be simpler to just use a modified login program.  I thought I
: >had found it with logdaemon package since it claims "fascist login
: >procedures" but I guess it is for logging not logging in as it
: >compiled fine under Sun 2.5.1 and does not log me out after any number
: >of failed attempts.  So: any ideas for other programs or did I compile
: >logdeamon wrong?

: Probably a bad idea: how does one prevent a denial of services attack
: thereby causing all users a outsider knows about being locked out due
: to excessive password attempts.

Probably the only user worth locking out is root. Then you can lock out
another user to let root know there is a problem ;-)

Jim
--



 Mon, 15 Nov 1999 03:00:00 GMT   
 Need to lock users login after 3 failed attempts

The denial of service issue is legitimate, but remember there is a
flip-side to this coin.

If root is never denied, then an intruder may be able to start a guessed
password attack.  I think NT suffers from this , and there isn't even
anything to slow it down so thousands of passwords can be tried in
minutes.  Of course, that's NT, and it has little to do with security ;-)

If you are going to lock an account on failed attempts, you must weigh the
consequences of a denial of service attack.  It may be worth it, but then
again it might not.

As for root, perhaps it should be set up so it can only be used via a console.

From personal experience, I have locked accounts on X number of failed
attempts.  I found 3 way too small.  7 seemed to be the magic number for
me.  The silly users kept forgetting which password they used, but at
least they could remember it by the 7th try.
======================================================================
|                                |                                   |
| Nishnabotna Bend Technologies  | Visit us & request a free issue   |
| Advanced Technology Consulting | of our weekly security report. We |
| Networks-Security-Computing    | summarize current security news   |
| http://www.nishnabotna.com     | and alerts for you!               |
|                                |                                   |
======================================================================



 Tue, 16 Nov 1999 03:00:00 GMT   
 Need to lock users login after 3 failed attempts

    >> : Probably a bad idea: how does one prevent a denial of
    >> services attack : thereby causing all users a outsider knows
    >> about being locked out due : to excessive password attempts.
    >>
    >>
    >> Probably the only user worth locking out is root. Then you can
    >> lock out another user to let root know there is a problem ;-)

    Nishnabotna> The denial of service issue is legitimate, but
    Nishnabotna> remember there is a flip-side to this coin.

    Nishnabotna> If root is never denied, then an intruder may be able
    Nishnabotna> to start a guessed password attack.  I think NT
    Nishnabotna> suffers from this , and there isn't even anything to
    Nishnabotna> slow it down so thousands of passwords can be tried
    Nishnabotna> in minutes.  Of course, that's NT, and it has little
    Nishnabotna> to do with security ;-)

    Nishnabotna> If you are going to lock an account on failed
    Nishnabotna> attempts, you must weigh the consequences of a denial
    Nishnabotna> of service attack.  It may be worth it, but then
    Nishnabotna> again it might not.

    Nishnabotna> As for root, perhaps it should be set up so it can
    Nishnabotna> only be used via a console.

    Nishnabotna> From personal experience, I have locked accounts on X
    Nishnabotna> number of failed attempts.  I found 3 way too small.
    Nishnabotna> 7 seemed to be the magic number for me.  The silly
    Nishnabotna> users kept forgetting which password they used, but
    Nishnabotna> at least they could remember it by the 7th try.

I agree with you. How did you lock them out after 7 attempts ?
--
  The day is short, and the work is great,     |   Aharon Schkolnik
  and the laborers are lazy, and the reward    |   Aha...@Health.Gov.IL
  is great, and the Master of the house is     |
  impatient. - Ethics Of The Fathers Ch. 2     |



 Thu, 18 Nov 1999 03:00:00 GMT   
 Need to lock users login after 3 failed attempts

: If root is never denied, then an intruder may be able to start a guessed
: password attack.  I think NT suffers from this , and there isn't even
: anything to slow it down so thousands of passwords can be tried in
: minutes.  Of course, that's NT, and it has little to do with security ;-)

It amazes me that nobody changes the name of the superuser on Unix.
It's difficult to do a DoS attack on an account that you don't know the
name of..

--
Matthew Wilcox

The UNIX system has a command, nice, which allows a user to voluntarily
reduce the priority of his processes in order to be nice to the other
users.  Nobody ever uses it.  -- Andy Tanenbaum



 Fri, 19 Nov 1999 03:00:00 GMT   
 Need to lock users login after 3 failed attempts

  This feature works in Netware. Another side of the coin is a
premedited lock of an account. We have this problem, a funny guy tries
several times an account and blocks it, so even the owner of the account
is unable to log in.

Regards,
Antonio



 Fri, 19 Nov 1999 03:00:00 GMT   
 Need to lock users login after 3 failed attempts

Actually changing root's name wouldn't be a great idea, some (lame)
scripts and such use `whoami` == 'root' instead of `id -u` == 0.

--
#####################   For PGP key, telnet senate.org 5000
#  Nathan Dorfman   #        or finger nat...@senate.org
# Senate Industries # /'-- www.senate.org | ftp.senate.org -- `\
##################### \________________________________________/



 Sat, 20 Nov 1999 03:00:00 GMT   
 Need to lock users login after 3 failed attempts

That's pretty close to security by obscurity, though.

        Roger
--
e-mail: es...@llaic.univ-bpclermont.fr, es...@unix.bigots.org
WWW page & PGP key: http://www.eleves.ens.fr:8080/home/espel/index.html



 Sat, 20 Nov 1999 03:00:00 GMT   
 Need to lock users login after 3 failed attempts

why not use an alpha-numeric pager? ... run a script that detects
multiple bad logins and sends a note (via e-mail) to an alpha pager held
by the on-duty sys op - the sys op can then check into the problem;
works for the single hacker, for the forgetful client, or even
denial-o-s attack.



 Sat, 20 Nov 1999 03:00:00 GMT   
 Need to lock users login after 3 failed attempts

In <EB5EAq....@ciba-geigy.ch> bwilma@pp_w0221_chbs.pp.chbs (Matthew Wilcox) writes:

Because as soon as somebody finds out the new root user's name, you're toast.

Nick.
--
Kralizec / Zeta Microcomputer Software  Fax: +61-2-9233-6545 Voice: 9837-1397
G.P.O. Box 3400, Sydney NSW 1043        http://www.zeta.org.au/



 Sun, 21 Nov 1999 03:00:00 GMT   
 Need to lock users login after 3 failed attempts

Roger Espel Llima (es...@llaic.univ-bpclermont.fr) wrote:
: In article <EB5EAq....@ciba-geigy.ch>, Matthew Wilcox <wi...@bofh.ai.> wrote:
: >It amazes me that nobody changes the name of the superuser on Unix.
: >It's difficult to do a DoS attack on an account that you don't know the
: >name of..

: That's pretty close to security by obscurity, though.

I wasn't suggesting that as the _only_ security.  Anyone on the system
can examine /etc/passwd and find all users with UID 0.  But it's an extra
layer of security that stops J. Random Luser from Elsewhere having a go.

--
Matthew Wilcox

The UNIX system has a command, nice, which allows a user to voluntarily
reduce the priority of his processes in order to be nice to the other
users.  Nobody ever uses it.  -- Andy Tanenbaum



 Tue, 23 Nov 1999 03:00:00 GMT   
 
   [ 12 post ] 

Similar Threads

1. Need to lock users out after 3 failed login attempts

2. account lock after N failed attempts

3. WU-FTPD and failed login attempts

4. failed login attempts...

5. Login lockout after x failed attempts?

6. How to limit number of failed login attempts?

7. Limiting failed login attempts

8. logging Failed login attempts

9. PPP failed login attempt for UNKNOWN_USER

10. Logging failed login attempts


 
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by ST Software