Firewall Wizards mailing list archives
Re: Handling Invalid Login Requests in Firewall
From: "Don Parker" <dparker () rigelksecurity com>
Date: Wed, 21 Jan 2004 16:05:28 -0500 (EST)
The lockout approach after n amount of failed logins is still the best imho. Sending an email to the sys admin about repeated failed attempts may just as easily not be addressed for as you say they are normally fairly busy. Though it could be a form of DoS as you say, the person doing it would still have to obtain valid user names to do so with. There is no silver bullet for this scenario unfortunately, but the lock out after failed attempts is still the best that I am aware of. Cheers ------------------------------------------- Don Parker, GCIA Intrusion Detection Specialist Rigel Kent Security & Advisory Services Inc www.rigelksecurity.com ph :613.249.8340 fax:613.249.8319 -------------------------------------------- On Jan 16, DLN Krishna <dlnk () intotoinc com> wrote: Hi, In one of ASIAN countries, firewall criteria indicates that, if user tries to log into the firewall appliance for more than X number of times, appliance MUST not allow that user to log-in until the password of the user is changed. There is another school of thought that this type of behavior might become DoS for genuine users. It is possible that, the attacker might try to log-in multiple times with victim's user name and give wrong password. When this happens, victim will not be able to access, until his password is changed by Administrator. Administrator might take many hours to change the password and also this can become a big head-ache for administrator. I feel that, logging a message (or sending alert to the administrator) when log-in is not successful for X number of times with information such as source IP and source Port and user name, which is being used to log-in, would be good, over denying any further log-in attempts. I would appreciate, if somebody could shed some light on any better approaches to handle this. Thanks, Krishna CTO Office Intoto Inc. www.intotoinc.com *********************************************************************** * D L N Krishna, dlnk () intotoinc com * Intoto Inc. voice : (408)844-0480 Ext 332 * 3160, De La Cruz Blvd, #100, fax : (408)844-0488 * Santa Clara, CA - 95054 *********************************************************************** _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com <a href='http://honor.icsalabs.com/mailman/listinfo/firewall- wizards'>http://honor.icsalabs.com/mailman/listinfo/firewall-wizards</a> _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Handling Invalid Login Requests in Firewall DLN Krishna (Jan 21)
- Re: Handling Invalid Login Requests in Firewall Paul Robertson (Jan 21)
- <Possible follow-ups>
- Re: Handling Invalid Login Requests in Firewall Don Parker (Jan 21)
- Re: Handling Invalid Login Requests in Firewall Ravi (Jan 22)
- Re: Handling Invalid Login Requests in Firewall DLN Krishna (Jan 22)
- Re: Handling Invalid Login Requests in Firewall Ravi (Jan 22)