Bogus "account hacked" message
Grant Taylor
cctalk at gtaylor.tnetconsulting.net
Tue Jan 8 21:47:25 CST 2019
On 1/8/19 8:39 PM, Fred Cisin via cctalk wrote:
> 3 failures is not enough for some legitimate human failings.
There's a high chance for false positives there.
> I occasionally will forget a password, and make 4 or 5 tries; and then,
> a few days later, remember it.
I wonder if it's three password attempts (likely in a single connection)
or three failed connections.
I could see how three failed connections would suffice, as that would be
nine password attempts.
> So, I MUCH prefer the concept of a logarithmically increasing lockout,
> starting small. Maybe as little as a millisecond, to permit a REASONABLE
> number of "maybe it was...", but thoroughly block brute force and
> dictionary/list attempts.
I created a fancy IPTables rule set that used the recent match extension
to dynamically (in kernel without any files on the drive) produce back
out period. I don't remember the exact count of things, or the timings.
But I do recall that it was something like 5 minutes, 30 minutes, 1
hour, 1 day, 1 week, 1 month, 1 year. I don't think I had permanent.
(Maybe I did. It's been 15+ years.)
--
Grant. . . .
unix || die
More information about the cctalk
mailing list