[unisog] limiting password/directory harvesting?

Albert Lunde Albert-Lunde at northwestern.edu
Thu Nov 4 18:02:07 GMT 2004


We are concerned about limiting the scope of username/password guessing and
directory information harvesting.

A general problem is that we've exposed a lot of diverse services on the
Internet. Unless we restrict all of them we may be leaving the backdoor open
while we barricade the front.

Some of the services that might be used to guess passwords include:

FTP, SSH, POP, SMTP AUTH, Kerberos, LDAP bind, password-protected web pages

Directory harvesting may be via LDAP, various web query pages, and e-mail
dictionary attacks.

The general measures I can think of are IP-restricting access, rate-limiting
by IP for total transactions or failures, logging failures and blacklisting
IP blocks. Or give up on passwords and give everyone client certificates.

What approaches have people found useful in practice?

-- 
     Albert Lunde         Albert-Lunde at northwestern.edu (new address)
                          Albert-Lunde at nwu.edu (old address)




More information about the unisog mailing list