[unisog] Anyone have a citation for an academic research study
cgaylord at vt.edu
Thu May 10 04:33:33 GMT 2007
Reg Quinton wrote:
>> All lockout methods become a dos. If you just enforce pacing of ssh
>> sessions, you win.
> We authenticate against an active directory where the policy is 15 failed
> logins followed by a 5 min lock out. This works well enough -- locking a
> person out forever would be a DOS, locking them out for 5 minutes is not.
You are correct, Reg -- it is possible to have a reasonable lockout
policy. Actually we do something quite similar. You can still see the
five minute lockout as a DOS (after all, a concerted effort can keep the
account locking), but this approach mitigates the potential
substantially. Similarly, ssh pacing can become a DOS, as a concerted
blast will prevent legitimate connections.
On Karyn's question about at what rate should ssh sessions be paced:
depends on the host. If it is your personal workstation that you
occasionally log into from home, more than three ssh sessions/minute
would be abnormal. OTOH, a shared ssh bastion host might have twenty or
thirty logins/minute regularly.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the unisog