Re: Hacks

In article <riojb4-73h.ln1@xxxxxxxxxxxxxxxxxx>, Martin Gregorie <martin@xxxxxxxxxxxxxxxx> writes:
Nick Leverton wrote:
Sadly port 22 scans are very common these days, if you let them they
will sit there trying different logins (and presumably passwords) for
minutes or even hours.

Its a pity Linux has never picked up on an old DEV VMS trick - so old
that DEC invented it to piss off crackers by running their phone bills
as high as possible.

After three failed logins the login program was swapped for another
program that looked to the outside world just like a real login but was
a dummy, so no matter what user/password combo the cracker tried he
always got an "invalid user name/password" response followed by another
login prompt.

On VMS this behaviour is controlled by various system parameters (SYSGEN
parameters) which control how many attempts within what time period etc
trigger evasion mode.

Once triggered, this behavior could only be switched back to normal by
the sysadmin.


Although it can be setup to disable the account in this manner that isn't the
recommended setting. Instead the length of time the evasion behaviour lasts can
be controlled by a sysgen setting (there is a small random element added to
this time to stop the hacker working out exactly how long to wait).
The reason for setting such a time-out is to stop the dictionary-attack being
transformed into a denial of service attack.


David Webb
Security team leader
CCSS
Middlesex University


On a similar thread, I've often wondered why (on Fedora / Gnome)
disabling the Shutdown / Reboot options on the login splash screen also
disables them on the logout menu and why there's no option to restrict
them to just root's logout menu. I'd prefer to have them available only
on root's logout menu.


--
martin@ | Martin Gregorie
gregorie. | Essex, UK
org |
.