Tim:
> Really, what ought to get tightened up is the software accepting
> logons. There should be a limited number of attempts (3 goes and your
> out for a significant time limit). Any system that lets a cracker
> hammer away with repeated attempts is the thing that is broken.
stan:
I don't think it has to be as low as 3. It could be 100 or 1000,
a
restriction that a human will never hit, but a cracking program will
hit almost immediately.
Three seems to be a common threshold, but I agree that it could be set
higher for those reasons. I know that I've mistyped things three times
in a row, and when you can't see what you're typing, it's easy to not
notice you've made a mistake. Like you, I imagine a cracking attempt is
going to try more than a person would.
This makes it easy to separate attackers from legitimate users, and
take appropriate action against the attackers. Ban their IP address?
Notify their ISP? Track their botnet and disable it? I'm not sure
there are effective defenses.
An alternative is to look for frequency of login attempts. More than 1
every second implies a bot, not a human.
Again, I agree. It's not too hard for a person to make that kind of
judgement call about what's a cracking attempt versus a human trying to
deal with a poor interface, so it ought to be a programmable solution,
too.
I think you'd first want to block the source from further attempts. If
multiple sources are trying, you know it's a crack attempt. No real
user could be doing that.
You could try banning all cracking sources, but if they're a zombied
army of bots, you could be banning genuine users of your service who've
no idea they're using a compromised computer. So the idea of notifying
their ISP has merit, on a number of fronts (ISP can tell the user they
need to fix up their PC, ISP can take action to check if their users are
indulging in organised hacking, etc).
Though there's still the problem of reporting things to ISPs that are a
problem, in themselves. In my early days of using the net, I'd
occasionally make a report to an ISP about spam from one of their users,
only to get a bucketload more spam straight away. It was obvious that
the ISP itself, or one of their staff, was involved in spamming; or they
stupidly inform their user about the complaint, naming where the
complaint came from. Either way, making a complaint was actually worse
than useless.
--
[tim@localhost ~]$ uname -rsvp
Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64
(always current details of the computer that I'm writing this email on)
Boilerplate: All mail to my mailbox is automatically deleted, there is
no point trying to privately email me, I only get to see the messages
posted to the mailing list.
Next time your service provider asks you to reboot your equipment, ask
them to reboot theirs, first.