On Fri, 26 Jul 2013, Trenton D. Adams wrote:
On 13-07-26 10:13 AM, Trenton D. Adams wrote:
On 13-07-25 02:48 PM, Andrew Morgan wrote:
On Thu, 25 Jul 2013, Trenton D. Adams wrote:
Hmm, it doesn't seem reasonable for an authentication system to not be
throttled. Any ideas on why it's not on by default? I know it was
for CAS 2.
Can we get it enabled by default going forward?
Our CAS system uses our LDAP service to handle authentication, and our
LDAP service already has a password policy with handles lockout after X
number of failed authentication attempts. Additionaly, we have
different password policies for different categories of users ("higher"
security accounts allow fewer failed authentication attempts).
How does your LDAP support this feature? Is it based on account? if
so, that seems rather inferior to IP based throttling. If for some
reason I was able to gain access to all of the LDAP ids (temporarily
maybe, not as unlikely as one might think) I could use a dictionary
attack, and attempt the same password on every account. That wouldn't
trigger an account based lock out.
Sorry, I've always had attention problems. You already stated it was based
on account. But, that does seem rather inferior to IP based blocking, don't
you think? I remember CAS 2 being something like 100 repeated attempts in
quick succession was deemed as an attack, and that IP was blocked.
All valid points!
We still see some brute-force password guessing attempts, but I'm not
aware of a single account here that was compromised via guessing.
Phishing for passwords seems to be much more successful. :(
IP throttling might be able to help us against DOS-style attacks though.
Anyways, you can certainly use CAS to throttle login attempts by both
username and IP address, but that protection is incomplete if there are
other ways to perform authentication. We have a lot of services that are
not web-based (IMAP, SSH, etc), so CAS doesn't seem like the best place
for us to throttle.
Andy
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
