jfh@rpp386.cactus.org (John F Haugh II) (04/26/91)
In article <1991Apr25.000323.7702@mp.cs.niu.edu> bennett@mp.cs.niu.edu (Scott Bennett) writes: > Of course. One cannot, it would seem, have it both ways. Therefore, >one must choose the lesser of the evils. In our shop, we have taken the >view that denial is better than unauthorized access because denial of >access leaves everything intact, whereas that cannot be guaranteed in >the case of unauthorized access. One can have it both ways - define accounts that may only be accessed from secure ports, but which have no login failure limit. These accounts can't be attacked from outside the system since even knowing the privileged password won't yield a login, though being logged in and trying "su" might. Denial of service is no longer an issue for those accounts, and the hacker now needs access to some "secure" port, which presumably we are able to protect, just as we protect our disks and tapes and CPU cabinets. There are ways to defang the denial of service boogey man - timeouts on restrictions, changing the restriction to being based on the port that is being attacked, slowing down the login process so that it still works but just takes longer, etc. The notion behind this scam is that we want to deny the hacker an unlimited number of trials at the authentication process. Any way you do this is fair, outright login denial is just the lazy way out. -- John F. Haugh II | Distribution to | UUCP: ...!cs.utexas.edu!rpp386!jfh Ma Bell: (512) 255-8251 | GEnie PROHIBITED :-) | Domain: jfh@rpp386.cactus.org "If liberals interpreted the 2nd Amendment the same way they interpret the rest of the Constitution, gun ownership would be mandatory."