Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Handling Invalid Login Requests in Firewall

From: "Don Parker" <dparker () rigelksecurity com>
Date: Wed, 21 Jan 2004 16:05:28 -0500 (EST)
The lockout approach after n amount of failed logins is still the best imho. Sending an 
email to the sys admin about repeated failed attempts may just as easily not be 
addressed for as you say they are normally fairly busy. Though it could be a form of DoS 
as you say, the person doing it would still have to obtain valid user names to do so 
with. There is no silver bullet for this scenario unfortunately, but the lock out after 
failed attempts is still the best that I am aware of.

Cheers

-------------------------------------------
Don Parker, GCIA
Intrusion Detection Specialist
Rigel Kent Security & Advisory Services Inc
www.rigelksecurity.com
ph :613.249.8340
fax:613.249.8319
--------------------------------------------

On Jan 16, DLN Krishna <dlnk () intotoinc com> wrote:

Hi,

     In one of ASIAN countries, firewall criteria indicates that, if user 
tries to log into
     the firewall appliance for more than X number of times, appliance MUST 
not
     allow that user to log-in until the password of the user is changed.

     There is another school of thought that this type of behavior might become
     DoS for genuine users.  It is possible that, the attacker might try to 
log-in
     multiple times with victim's user name and give wrong password. When 
this happens,
     victim will not be able to access, until his password is changed by 
Administrator.
     Administrator might take many hours to change the password and also 
this can
     become a big head-ache for administrator.

     I feel that, logging a message (or sending alert to the administrator) 
when
     log-in is not successful for X number of times with information such as
     source IP and source Port and user name, which is being used to log-in,
     would be good, over denying any further log-in attempts.

      I would appreciate, if somebody could shed some light on any better
      approaches to handle this.

Thanks,
Krishna
CTO Office
Intoto Inc.
www.intotoinc.com
















***********************************************************************
* D L N Krishna,     dlnk () intotoinc com
* Intoto Inc.                             voice : (408)844-0480 Ext 332
* 3160, De La Cruz Blvd, #100,            fax   : (408)844-0488
* Santa Clara, CA - 95054
***********************************************************************


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
<a href='http://honor.icsalabs.com/mailman/listinfo/firewall-
wizards'>http://honor.icsalabs.com/mailman/listinfo/firewall-wizards</a>

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: