Hi Sami, The issue you mention is a conundrum!. I think you need to consider which is the greater risk and use your judgement to secure against this particular issue.
I mention the same issue in the SANS book "Oracle security step-by-step" that it is advisable to use a profile and set failed_login_attempts to prevent brute force attacks BUT this parameter could also lead to denial of service attack. The issue is that it would be a denial of service for the particular users account that is affected rather than all users (I am not saying this is a better denial of service as far as the database owner is concerned). You have to take a wider view and understand how someone could mount a brute force attack against your database. They would need a list of users to start with. Default accounts spring to mind!!. either remove these or lock them and definitely change the passwords. protect all avenues where someone could get a list of all users, i.e. dictionary views, export files, trace files, program scripts with names in etc.... protect users accounts with sensible secure passwords. Don't post details of users accounts, database structure etc to newsgroups. As always least privilege principle should be observed for all users. If an attacker or employee cannot get a list of users he is limited to brute forcing default accounts, these should be less of an issue where denial of service is concerned due to password failed attempts as generally you should not be logging in as these users regularly. You have to consider the whole picture and secure your data accordingly. have a look at some of the oracle security papers on my site http://www.petefinnigan.com/ora sec.htm. I think Paul is annoyed because you have suggested a denial of service method on a mailing list that is easy to find because of the title of your email! kind regards Pete -- Pete Finnigan email:[EMAIL PROTECTED] Web site: http://www.petefinnigan.com - Oracle security audit specialists Book:Oracle security step-by-step Guide - see http://store.sans.org for details. -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Pete Finnigan INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
