[Date Prev][Date Next]
Re: Password policy: possible DoS scenario
On Tuesday, 1 March 2011 07:23:41 Konstantin Boyandin wrote:
> Thanks to everyone having answered me earlier, I've managed to set up
> password policy on the OpenLDAP provided in CentOS 5.5 repositories
> (current version 2.3.43).
> The setup: we have password policy enabled for users accounts in our
> intranet. After 5 unsuccessful attempts the account is blocked for short
> duration (30 seconds).
> Does that mean that anyone now can keep all the accounts blocked most of
> the time?
Well, you do the maths.
But, surely you have enough monitoring in place that you would be able to
notice a high rate of unsuccessful binds, so that the duration of "most of the
time" would not be very long.
> Am I right that if anyone enters someone else' incorrect
> password 5 times (in the given case), they will block the target account
> (regardless of what IP address the attacker was connecting from)?
Yes. But, where is the line between a DoS and an attempt to break into an
In either case, if this *is* only in your intranet, behaviour like this would
> Narrower question: do password policy module developers plan to take
> into account what IPs are used to connect (thus, blocking only access
> from specific IPs)?
Maybe you should provide a specific use case, besides "my users violate my