Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: andy_wismer on April 06, 2006, 02:20:50 PM
-
Hello
A lot of systems provide for an account lock-out after a certain amount of failed tries. Say after 3 login-in attempts with the wrong password, the account would be locked out for 30 Minutes. The error message to the user should NOT indicate a lock-out, only saying User / Password not valid.
This would help greatly to block so called brute force attacks - an attacker would have no info that he has already tried the right user / password, only during the lock-out time...
Such a feature is standard on a lot of OS, like Windows, Novell Netware, SuSE Linux.
It would help for exmple those who need:
- The added security
- Opening up User-Manager (And also Server-manager) with 0.0.0.0
Ideally, this ought to include an option for "Tries" and "Lock-Out Period" or even only Admin relief of lock-out, all this as an option somewhere in Server-Manager.
Otherwise, a simple perl script used by an attacker as a brute force could be successful.
A question, and my two cents...
Thanx
Andy Wismer