|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Account Lockouts
Valdis.Kletnieks
vt.edu
Date: Mon Dec 06 2004 - 11:16:50 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Fri, 03 Dec 2004 17:19:44 EST, "David A. Wheeler" said:
> * Don't lock out if the user logs in using the console
> and/or trusted IP addresses and/or "last IP address"
> Obviously, this opens you up to password guessing attacks
> if an attacker is in those IP address ranges, and a
> good attacker spoof an IP address too
Note that spoofing an IP address for a TCP connection *should* be
quite difficult if the server properly implements RFC1948:
1948 Defending Against Sequence Number Attacks. S. Bellovin. May 1996.
(Format: TXT=13074 bytes) (Status: INFORMATIONAL)
http://www.ietf.org/rfc/rfc1948.txt
However, many vendors don't seem to get this as right as you'd expect,
as Michael Zalewski discovered:
http://alon.wox.org/tcpseq.html
And a year later, things hadn't universally improved:
http://lcamtuf.coredump.cx/newtcp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFBtJQCcC3lWbTT17ARAtBbAJ49KE4mjnGJf0cB99DyM4o+6BwQpACeKNtg
dNevr6KpkwooHw4Oo8orTA8=
=jDrQ
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]