https://bugzilla.wikimedia.org/show_bug.cgi?id=61101

--- Comment #12 from Andreas F. Borchert <wikipe...@andreas-borchert.de> ---
I would like to second Neozoon in his comment above.

The logins of the OTRS admins are well known. This discussion is in the public.
To set PasswordMaxLoginFailed is an open invitation for the next vandal to get
all OTRS admins locked out. Do not think that such incidents are unlikely. As
Wikimedia and the support team are well known entities, it is just a question
of time when eventually such an attack will be launched. This is not an
"acceptable tradeoff," we would look like fools in the moment when it happens.

And it does not matter whether PasswordMaxLoginFailed is set to 3, 10, 100, or
whatever. Any limit can be reached if a vandal has the intention to launch this
attack.

I would recommend to protocol any login failures, to evaluate these logs every
n minutes, and to block the IP addresses that generate more than m login
failures within n minutes. Similar strategies tend to work out against brute
force attacks on ssh logins.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to