On 1/8/19 8:39 PM, Fred Cisin via cctalk wrote:
3 failures is not enough for some legitimate human failings.
There's a high chance for false positives there.
I occasionally will forget a password, and make 4 or 5 tries; and then, a few days later, remember it.
I wonder if it's three password attempts (likely in a single connection) or three failed connections.
I could see how three failed connections would suffice, as that would be nine password attempts.
So, I MUCH prefer the concept of a logarithmically increasing lockout, starting small. Maybe as little as a millisecond, to permit a REASONABLE number of "maybe it was...", but thoroughly block brute force and dictionary/list attempts.
I created a fancy IPTables rule set that used the recent match extension to dynamically (in kernel without any files on the drive) produce back out period. I don't remember the exact count of things, or the timings. But I do recall that it was something like 5 minutes, 30 minutes, 1 hour, 1 day, 1 week, 1 month, 1 year. I don't think I had permanent. (Maybe I did. It's been 15+ years.)
-- Grant. . . . unix || die
