Re: Password policy: possible DoS scenario

[Buchan Milne <bgmilne@staff.telkomsa.net>]

----- "Konstantin Boyandin" <temmokan@gmail.com> wrote:


> >> Narrower question: do password policy module developers plan to
> take
> >> into account what IPs are used to connect (thus, blocking only
> access
> >> from specific IPs)?
> > 
> > Maybe you should provide a specific use case, besides "my users
> violate my 
> > terms of use, and I can't do anything about it".
> 
> A typical use case is this. We make users change their passwords
> regularly, password policy was introduced to further urge to use
> safer
> credentials.
> 
> Now imagine a person's email being checked regularly from outside the
> intranet. After the specified attempts the account gets locked. The
> only
> option we have in such a case is to firewall the address that sends
> wrong credentials.

There are other options. ppolicy is not meant to prevent attacks on accounts, but to try and prevent attacks on accounts being successful. Prevention (or other responses) are only possible if the attacks are detected. If you want attackers to be able to make as many attempts as they like to try and compromise accounts, you would be better off without ppolicy.

> In case the locks are IP-bound, they would only affect those
> attempting
> to gain access (regardless of whether those are legitimate or
> unauthorized attempts).

But it opens you up to making it easier for attackers to brute-force your accounts.

However, in your scenario of a user's email account being attacked, to LDAP, the client IP address is that of your mail server, so having IP-specific lockout would not help you.

Regards,
Buchan