On 14/12/2009 03:12, Timo Sirainen wrote:
Largest changes since alpha3:
- if some IP address is failing authentications, all auth attempts from
the IP are delayed increasingly. a successful auth drops the delay. max
delay is 15 seconds. this is enforced by auth process, so it works
across different connections/processes/protocols.
I have a bunch of users behind several NATs (wifi hotspots, dialup
gateways) and it would seem that if some muppet innocently sets up the
wrong username/password then all the other users get significantly
penalised? (I have even seen cases people have a go at configuring
Outlook, it doesn't work and they just leave it misconfigured and
sending incorrect passwords forever afterwards...)
(This actually caught me out recently when a fairly large group of users
got dropped due to pretty much just this type of rule implemented via an
overeager Fail2ban rule... One user just kept trying to use the wrong
password (innocently) and locked out the whole group of users behind the
nat... Durr, quick fix of the whitelisted IPs, but we don't always spot
the smaller gateways)
Should it not only delay *incorrect* logins? ie each time you get it
wrong then you get a penalty (which increases). Getting it right would
login instantly and slightly decrease the "got it wrong" penalty (or
perhaps it just time ages)?
Seems that this is a good compromise and doesn't penalise good users,
whilst only very slightly assisting attackers? (If they hacked a login
then delaying them a few seconds from using it isn't all the helpful
anyway...)
My 2p.. Although possibly I misunderstood the changelog...?
Ed W
