Re: under another kind of attack
Olaf Hopp <Olaf.Hopp@kit.edu> writes:
Slow roll distributed attacks. Really hard to stop.
All the time, and to many services. If you need to be fault tolerant, you'll either have to set tolerant limits (allow reasonable number of failures), or timeout features. You could also track successful logins as whitelisting entries for future logins.
Nearly an intractable problem, especially since your users are embedded in a notoriously infested network (as someone quipped, "like picking marshmallows out from a pile of sh*t").
Some ideas:
- pre-emption (using third party RBLs that targets BFD)
- immediate blacklisting of known bad users/passwords
(e.g. "admin", "support", extinct users, etc.)
- persistent tracking storage: tracking in SQL, or
or large LRU list that can reach far enough back
in time.
(I think Aki mentioned weakforced which you can use instead if fail2ban to implement some of these things.)
There are other solutions like alternate ports, port knocking, certificate authentication, or VPN, but they are hard/impossible to do with a large userbase, or have high setup/amortization costs.
If you have a enforced strong password policy, these brute forcers have little chance of succeeding, so maybe the easiest cheapest policy is to ignore it.
Joseph Tam <jtam.home@gmail.com>
participants (1)
-
Joseph Tam