Re: AW: AW: WG: [vchkpw] lock account after login failures

Feucht, Florian writes: Perhaps he did, but locked out CONNECTIONS from that IP for 10 minutes reads differently to me. If Tom had meant what you said, then I would have expected something like locked out authentication attempts from that username/IP pair for 10 minutes. This idea

AW: AW: WG: [vchkpw] lock account after login failures

Perhaps he did, but locked out CONNECTIONS from that IP for 10 minutes reads differently to me. If Tom had meant what you said, then I would have expected something like locked out authentication attempts from that username/IP pair for 10 minutes. This idea is great, but doesn't work for

AW: WG: [vchkpw] lock account after login failures

: Donnerstag, 25. September 2003 16:13 An: [EMAIL PROTECTED] Betreff: Re: WG: [vchkpw] lock account after login failures Feucht, Florian writes: is this problem unsolvable, or did i say something wrong? Doing it the way you suggest, counting failures, means remembering state somewhere, somehow. If you

Re: AW: WG: [vchkpw] lock account after login failures

Feucht, Florian writes: My idea is to store this information per user, so the others keep unaffected from locked mailboxes. Another Possibility is to lock the account only for an specific amount of time (lets say 10 minutes) after 3 password fails. So if somebody tries some hardcore brute

Re: AW: WG: [vchkpw] lock account after login failures

On Friday, September 26, 2003, at 03:39 AM, Paul L. Allen wrote: You are still not considering the possibility that somebody mounts a denial of service attack. An attacker need only make three attempts every ten minutes to permanently lock somebody out. And the attacker can do that for every

Re: AW: WG: [vchkpw] lock account after login failures

Tom Collins writes: What if the system tracked it by IP, and after three failures locked out connections from that IP for 10 minutes? That has problems for companies behind a firewall which use external mail servers (we have several clients in that situation). All it takes is one person to

Re: AW: WG: [vchkpw] lock account after login failures

X-Istence writes: Paul L. Allen wrote: Tom Collins writes: What if the system tracked it by IP, and after three failures locked out connections from that IP for 10 minutes? [...] He meant log it on an account AND ip basis. Perhaps he did, but locked out CONNECTIONS from that

WG: [vchkpw] lock account after login failures

Hi... is this problem unsolvable, or did i say something wrong? --- Hi there... I'm using vpopmail's vchkpw to authenticate imap, pop3 and smtp. (plain - cdb, w/o ldap or mysql) All services should be accessible from outside. Now i have got the following question: is it possible that vchkpw

Re: WG: [vchkpw] lock account after login failures

Feucht, Florian writes: is this problem unsolvable, or did i say something wrong? Doing it the way you suggest, counting failures, means remembering state somewhere, somehow. If you have a lot of idiot users, this state could become very large and slow. Also there are two possible denial of

[vchkpw] lock account after login failures

Hi there... I'm using vpopmail's vchkpw to authenticate imap, pop3 and smtp. (plain - cdb, w/o ldap or mysql) All services should be accessiblefrom outside. Now i have got the following question: is it possible that vchkpw locks an account after - let's say - 5 password failures to