On Wed, 2009-12-16 at 00:03 +0000, Ed W wrote:
On 14/12/2009 03:12, Timo Sirainen wrote:
Largest changes since alpha3:
- if some IP address is failing authentications, all auth attempts from the IP are delayed increasingly. a successful auth drops the delay. max delay is 15 seconds. this is enforced by auth process, so it works across different connections/processes/protocols.
I have a bunch of users behind several NATs (wifi hotspots, dialup gateways) and it would seem that if some muppet innocently sets up the wrong username/password then all the other users get significantly penalised? (I have even seen cases people have a go at configuring Outlook, it doesn't work and they just leave it misconfigured and sending incorrect passwords forever afterwards...)
This could be a problem, yes.. I probably have to make this configurable in some way. Or perhaps I could add some more code so that if only the same user+password combination (or a few of them) are the problem, it doesn't penalize. This feels familiar, I think I almost started coding that before. Or it's as if I already did, but I don't see the code..
When that's done, once in a while when an invalid user+pass combo happens it delays the next user's login for a couple of seconds, but then it would get cached for some time so if it tries again there would be no delays.
Also in any case, even if I don't change it from how it works now, the penalty goes away immediately after first successful login. So pretty much the worst that can happen is that innocent users have to wait for 15 seconds before they can log in.
Should it not only delay *incorrect* logins? ie each time you get it wrong then you get a penalty (which increases). Getting it right would login instantly and slightly decrease the "got it wrong" penalty (or perhaps it just time ages)?
That would also make the penalty pretty pointless. Attackers would just login, wait for half a second, assume it was a failed login, disconnect and connect again.