[unisog] Anyone have a citation for an academic research study

Clark Gaylord cgaylord at vt.edu
Thu May 10 04:33:33 GMT 2007


Reg Quinton wrote:
>> All lockout methods become a dos. If you just enforce pacing of ssh
>> sessions, you win.
>>     
>
> We authenticate against an active directory where the policy is 15 failed 
> logins followed by a 5 min lock out. This works well enough -- locking a 
> person out forever would be a DOS, locking them out for 5 minutes is not.
>   

You are correct, Reg -- it is possible to have a reasonable lockout 
policy. Actually we do something quite similar. You can still see the 
five minute lockout as a DOS (after all, a concerted effort can keep the 
account locking), but this approach mitigates the potential 
substantially. Similarly, ssh pacing can become a DOS, as a concerted 
blast will prevent legitimate connections.

On Karyn's question about at what rate should ssh sessions be paced: 
depends on the host. If it is your personal workstation that you 
occasionally log into from home, more than three ssh sessions/minute 
would be abnormal. OTOH, a shared ssh bastion host might have twenty or 
thirty logins/minute regularly.

--ckg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/unisog/attachments/20070510/c112d061/attachment.htm 


More information about the unisog mailing list