On 8/31/2015 8:54 AM, Christopher Schultz wrote:
You also tell them how long they have to wait before they can resume
their brute-force attack without wasting their own time.
Must better to let a brute force attacker pound away at a locked
account wasting their resources and probably tripping additional
security measures (like an IP block) for the excessive failures
than it is to tell them what they need to do to keep the
authentication system happy.
I've started using Fail2Ban because of brute force attacks against
Postfix-SASL. It would be nice if the LockoutRealm also reported the IP
address so I could use it to cover Tomcat as well. In it's
implementation, LockoutRealm gives the user n tries per account (at
least that's my understanding).
--
George Sexton
*MH Software, Inc.*
Voice: 303 438 9585
http://www.mhsoftware.com
