On Di, 2014-10-21 at 14:06 +0800, Gonglei wrote: > On 2014/10/20 15:02, Gerd Hoffmann wrote: > > > > > Hi, > > > >> If we set the max trying times, and then > >> There are some concepts: > >> - INTERVAL_TIME: a time window that user can connnet vnc server > >> - REJECT_TIME: the time of reject any connection > >> - MAX_TRY_TIMES: the times that user can connect vnc server in > >> INTERVAL_TIME, > >> if attach the MAX_TRY_TIMES, the server will lock, any user can not > >> connect again > >> before REJECT_TIME attached. The old connected client will not be > >> influenced. > > > > i.e. effectively rate-limit login attempts. Makes sense to have an > > option for that, although I'm not sure it is worth the trouble doing > > something beyond a simple "one attempt per second allowed" (i.e. stop > > polling the listening socket for a second after each accept). > > > > Hi, > > "one attempt per second allowed" is just reduce the frequency for attack,
Yes. Which is common practice, to slow down dictionary attacks. > but I don't think the effect is very well. It can limit the login attempts for > attack problem from a flood of attack to "one attempt per second" (not > the same magnitude with my approach for security). Problem with rejecting is any login attempts for REJECT_TIME is that you also lock out the good guys. cheers, Gerd
