Path: utzoo!utgpu!watmath!clyde!att!rutgers!deimos!uxc!uxc.cso.uiuc.edu!uxg.cso.uiuc.edu!uicsrd.csrd.uiuc.edu!kai From: kai@uicsrd.csrd.uiuc.edu Newsgroups: comp.unix.wizards Subject: Re: /etc/failures Message-ID: <43200055@uicsrd.csrd.uiuc.edu> Date: 2 Dec 88 12:46:00 GMT References: <407@uwslh.UUCP> Lines: 35 Nf-ID: #R:uwslh.UUCP:407:uicsrd.csrd.uiuc.edu:43200055:000:1717 Nf-From: uicsrd.csrd.uiuc.edu!kai Dec 2 06:46:00 1988 > disabling accounts ... allows an intruder to deny service to authorized > users by spoofing them enough times. I used to manage a VAX VMS system, which had a better variation of this idea. Maybe some capable wizard could add this to /bin/login. 1) If a login of a single account name at a single terminal fails 3 times in a row within a short period of time, that account is temporarily disallowed from logging in on that terminal. 2) If a login of a single account at multiple terminals fails 3 times in a row, the account is temporarily disallowed from logging in at any terminal. 3) If logins of any accounts at a single terminal fails 6 times in a row, that terminal is temporarily disabled. The effect of a temporarily disallowed account is simply that attempts to login with it are refused, as though the account doesn't exist. The effect of a disabled terminal is that it provides no responce at all. The number of times a login fails before a "breakin attempt" is logged and action is taken is configurable, and is usually 3. The length of time that the terminal/account is disabled is some period between 5 and 15 minutes (the range is configurable). There is some randomness involved in choosing the exact time, to help thwart automated login/password guessers. The time gets longer each consecutive time a particular type of breakin is detected. The system keeps a list of "breakin attempts" for which action is currently being taken, and logs and/or broadcasts appropriate messages, allowing a system or security administrator to quickly take action and/or re-enable the account/terminal if desired. Patrick Wolfe (pat@kai.com, kailand!pat) System Manager, Kuck and Associates, Inc.