jiml@uwslh.UUCP (James E. Leinweber) (12/02/88)
Logging the number of failed attempts to sign in on an account, and
telling it to the user, is a nice idea. However, disabling accounts
is itself a more or less well known security problem! This allows an
intruder to deny service to authorized users by spoofing them enough
times. If you had servers managed via networks (as opposed to
physical consoles), and the guys in the black hats nailed root and all
your other administrators this way, regaining control of the machines
could be a real chore.
--
Jim Leinweber jiml@uwslh.uucp jiml%uwslh.uucp@cs.wisc.edu
...!{rutgers, ucbvax ...}!uwvax!uwslh!jiml
State Laboratory of Hygiene @ Univ. of Wisconsin - Madison; (608) 262-0736kai@uicsrd.csrd.uiuc.edu (12/02/88)
> disabling accounts ... allows an intruder to deny service to authorized > users by spoofing them enough times. I used to manage a VAX VMS system, which had a better variation of this idea. Maybe some capable wizard could add this to /bin/login. 1) If a login of a single account name at a single terminal fails 3 times in a row within a short period of time, that account is temporarily disallowed from logging in on that terminal. 2) If a login of a single account at multiple terminals fails 3 times in a row, the account is temporarily disallowed from logging in at any terminal. 3) If logins of any accounts at a single terminal fails 6 times in a row, that terminal is temporarily disabled. The effect of a temporarily disallowed account is simply that attempts to login with it are refused, as though the account doesn't exist. The effect of a disabled terminal is that it provides no responce at all. The number of times a login fails before a "breakin attempt" is logged and action is taken is configurable, and is usually 3. The length of time that the terminal/account is disabled is some period between 5 and 15 minutes (the range is configurable). There is some randomness involved in choosing the exact time, to help thwart automated login/password guessers. The time gets longer each consecutive time a particular type of breakin is detected. The system keeps a list of "breakin attempts" for which action is currently being taken, and logs and/or broadcasts appropriate messages, allowing a system or security administrator to quickly take action and/or re-enable the account/terminal if desired. Patrick Wolfe (pat@kai.com, kailand!pat) System Manager, Kuck and Associates, Inc.
smb@ulysses.homer.nj.att.com (Steven M. Bellovin) (12/04/88)
In article <43200055@uicsrd.csrd.uiuc.edu>, kai@uicsrd.csrd.uiuc.edu writes: > 1) If a login of a single account name at a single terminal fails 3 times in > a row within a short period of time, that account is temporarily disallowed > from logging in on that terminal. > 2) If a login of a single account at multiple terminals fails 3 times in a > row, the account is temporarily disallowed from logging in at any terminal. > 3) If logins of any accounts at a single terminal fails 6 times in a row, > that terminal is temporarily disabled. What's a ``terminal'' to be disabled? I'm serious. What you suggest may or may not have merit in an environment where most access is via hard-wired lines these days, however, the real threats are via networks or dial-up connections. Even in a campus environment, many (most?) folks are using some sort of port selector, front-end switch, Ethernet TAC, etc. It's rare that any physical port can be associated with a login attempt.
kai@uicsrd.csrd.uiuc.edu (12/06/88)
> /* Written by smb@ulysses.homer.nj.att.com */ > >> kai@uicsrd.csrd.uiuc.edu writes: >> 1) If a login of a single account name at a single terminal fails 3 times in >> a row within a short period of time, that account is temporarily disallowed >> from logging in on that terminal. >> 2) If a login of a single account at multiple terminals fails 3 times in a >> row, the account is temporarily disallowed from logging in at any terminal. >> 3) If logins of any accounts at a single terminal fails 6 times in a row, >> that terminal is temporarily disabled. > > What's a ``terminal'' to be disabled? > ... folks are using some sort of port selector, front-end switch, Ethernet > TAC, etc. It's rare that any physical port can be associated with a > login attempt. Our work environment consists of multiple Encore Annex ethernet terminal servers providing access to any host from any terminal in the building, so I understand what you're saying. I would consider all network connections from a single network host, terminal server, or data switch as a single "terminal" when disallowing logins. Unfortunately, then someone could temporarily stop all access from a data switch by purposefully incorectly logging in multiple times from multiple accounts. Does anyone else have any better approach? This demonstrates a significant advantage of the Annex terminal server over all other terminals servers or data switches I've ever used, that in a security concious environment they can be configured to require a valid username/password be verified by a local "security server" host before access to the terminal server command line is given, and to approve and log all attempts at network connections. With these features enabled, it's easy to identify who is attempting a breakin. Patrick Wolfe (pat@kai.com, kailand!pat) System Manager, Kuck and Associates, Inc. #include <cynical/witty.remark>