[unisog] Anyone have a citation for an academic research study

Clark Gaylord cgaylord at vt.edu
Thu May 10 04:33:33 GMT 2007

Reg Quinton wrote:
>> All lockout methods become a dos. If you just enforce pacing of ssh
>> sessions, you win.
> We authenticate against an active directory where the policy is 15 failed 
> logins followed by a 5 min lock out. This works well enough -- locking a 
> person out forever would be a DOS, locking them out for 5 minutes is not.

You are correct, Reg -- it is possible to have a reasonable lockout 
policy. Actually we do something quite similar. You can still see the 
five minute lockout as a DOS (after all, a concerted effort can keep the 
account locking), but this approach mitigates the potential 
substantially. Similarly, ssh pacing can become a DOS, as a concerted 
blast will prevent legitimate connections.

On Karyn's question about at what rate should ssh sessions be paced: 
depends on the host. If it is your personal workstation that you 
occasionally log into from home, more than three ssh sessions/minute 
would be abnormal. OTOH, a shared ssh bastion host might have twenty or 
thirty logins/minute regularly.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/unisog/attachments/20070510/c112d061/attachment.htm 

More information about the unisog mailing list