[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Password policy: possible DoS scenario
- To: Buchan Milne <bgmilne@staff.telkomsa.net>
- Subject: Re: Password policy: possible DoS scenario
- From: Konstantin Boyandin <temmokan@gmail.com>
- Date: Tue, 01 Mar 2011 14:01:14 +0600
- Cc: openldap-technical@openldap.org
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; bh=grJyCcl4/nUGH1P0rVc8z0TL9kkC5yxqNd8Wf3H8Lqc=; b=viZfZY6Ly/j1frgwvfkuGX5elGlV3Bs3WnDeeTYI82sPUZy2MMd0tOY9mdPdZOZAd3 LtprE7D+/ESdBdCN06p4+dr0X8gu3FCKZSW8YQruQVNz46lJCrmOMs1tE6T0JetSKlti EF+be36rVvfshrqpjqQQohWYVN57FUYdPXLvI=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; b=xgal96gItPnKkgEuAYwFV24B2URz3LCC1vWpQwDgq1LBCKgM3dUYV/M9kJzjbgDnio Y22RBZyXyx+UJQavUUC+fAtYgX731/ENKY9s9u2RL89Oayr3ayz7mr49KL7IfbD6bSLJ TiuhiFgPIhNTUq1r6JDwpT6Pk3dBD+F1DWw7I=
- In-reply-to: <201103010930.01110.bgmilne@staff.telkomsa.net>
- References: <4D6C82DD.7020000@gmail.com> <201103010930.01110.bgmilne@staff.telkomsa.net>
- User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101209 Fedora/3.1.7-0.35.b3pre.fc14 Thunderbird/3.1.7
Hello Buchan,
01.03.2011 13:29, Buchan Milne writes:
> On Tuesday, 1 March 2011 07:23:41 Konstantin Boyandin wrote:
>> Hello,
>>
>> Thanks to everyone having answered me earlier, I've managed to set up
>> password policy on the OpenLDAP provided in CentOS 5.5 repositories
>> (current version 2.3.43).
>>
>> The setup: we have password policy enabled for users accounts in our
>> intranet. After 5 unsuccessful attempts the account is blocked for short
>> duration (30 seconds).
>>
>> Does that mean that anyone now can keep all the accounts blocked most of
>> the time?
>
> Well, you do the maths.
>
> But, surely you have enough monitoring in place that you would be able to
> notice a high rate of unsuccessful binds, so that the duration of "most of the
> time" would not be very long.
While I am talking of the intranet, I feel I am in control. Logs are
monitored and if someone causes repetitive account lockouts, it's easy
to detect.
Problems can happen when there is need to open certain services from
outside (email, for example).
>> Am I right that if anyone enters someone else' incorrect
>> password 5 times (in the given case), they will block the target account
>> (regardless of what IP address the attacker was connecting from)?
>
> Yes. But, where is the line between a DoS and an attempt to break into an
> account?
>
> In either case, if this *is* only in your intranet, behaviour like this would
> surely violate your terms of use policy ...
Of course.
>> Narrower question: do password policy module developers plan to take
>> into account what IPs are used to connect (thus, blocking only access
>> from specific IPs)?
>
> Maybe you should provide a specific use case, besides "my users violate my
> terms of use, and I can't do anything about it".
A typical use case is this. We make users change their passwords
regularly, password policy was introduced to further urge to use safer
credentials.
Now imagine a person's email being checked regularly from outside the
intranet. After the specified attempts the account gets locked. The only
option we have in such a case is to firewall the address that sends
wrong credentials.
In case the locks are IP-bound, they would only affect those attempting
to gain access (regardless of whether those are legitimate or
unauthorized attempts).
Thanks.
Sincerely,
Konstantin