Path: utzoo!utgpu!watmath!clyde!att!rutgers!deimos!uxc!uxc.cso.uiuc.edu!uxg.cso.uiuc.edu!uicsrd.csrd.uiuc.edu!kai
From: kai@uicsrd.csrd.uiuc.edu
Newsgroups: comp.unix.wizards
Subject: Re: /etc/failures
Message-ID: <43200055@uicsrd.csrd.uiuc.edu>
Date: 2 Dec 88 12:46:00 GMT
References: <407@uwslh.UUCP>
Lines: 35
Nf-ID: #R:uwslh.UUCP:407:uicsrd.csrd.uiuc.edu:43200055:000:1717
Nf-From: uicsrd.csrd.uiuc.edu!kai    Dec  2 06:46:00 1988


> disabling accounts ... allows an intruder to deny service to authorized
> users by spoofing them enough times.

I used to manage a VAX VMS system, which had a better variation of this
idea.  Maybe some capable wizard could add this to /bin/login.

1)  If a login of a single account name at a single terminal fails 3 times in
a row within a short period of time, that account is temporarily disallowed
from logging in on that terminal.

2)  If a login of a single account at multiple terminals fails 3 times in a
row, the account is temporarily disallowed from logging in at any terminal.

3)  If logins of any accounts at a single terminal fails 6 times in a row,
that terminal is temporarily disabled.

The effect of a temporarily disallowed account is simply that attempts to
login with it are refused, as though the account doesn't exist.  The effect
of a disabled terminal is that it provides no responce at all.

The number of times a login fails before a "breakin attempt" is logged and
action is taken is configurable, and is usually 3.  The length of time that
the terminal/account is disabled is some period between 5 and 15 minutes (the
range is configurable).  There is some randomness involved in choosing the
exact time, to help thwart automated login/password guessers.  The time gets
longer each consecutive time a particular type of breakin is detected.

The system keeps a list of "breakin attempts" for which action is currently
being taken, and logs and/or broadcasts appropriate messages, allowing a
system or security administrator to quickly take action and/or re-enable the
account/terminal if desired.

	Patrick Wolfe  (pat@kai.com, kailand!pat)
	System Manager, Kuck and Associates, Inc.