Re: Login Break-in LGI parameters
- From: Jim Mehlhop <Mehlhop@xxxxxxxxxx>
- Date: Wed, 01 Nov 2006 12:37:47 -0700
norm.raphael@xxxxxxxxx wrote:
Jim Mehlhop <Mehlhop@xxxxxxxxxx> wrote on 11/01/2006 12:33:23 PM:It add the 2 minutes to the timeout value of the previous record. ie from one of our class systems where we had LGI_BRK_TMO set to the 5 minute default value
norm.raphael@xxxxxxxxx wrote:So if I get a failure it sets up a record and listens for 2 minutes (in
Can someone please expain in simple English what happens here.Here is what it really means
This is how I read the settings:
1) Users get LGI_BRK_LIM=5 login failures before being blocked
as an INTRUDER (The failure count is logged in the INTRUSION
entry even though lockout has yet to occur).
2) Once the break-in limit is reached the source is prevented
from login even with the correct Username and Password for
LGI_HID_TIM=30 minutes.
3) Monitoring of login failure continues for LGI_BRK_TMO=2
minutes after a failure. For each subsequent failure, another
LGI_BRK_TMO=2 minutes is added to the monitoring period. After
this period has passed the INTRUSION record is discarded.
A careful reading if this yields a contradiction. If the source
login fails 5 times (1) the source is blocked. Monitoring
of that source is for 2 minutes, then the source is given a clean
slate (3). The souce is prevented even from correct login for
30 minutes (2). So which is it, 2 (or 4 or 6) minutes or 30
minutes or is it 2 (or 4 or 6) + 30 minutes?
if you have 6 (not 5) failures within (LGI_BRK_TMO * 6) minutes then you
become an intruder and the system will "avoid/hide from" you for 30 *( 1
to 1.5) minutes.
Another way of saying this is IF you only generate failures every 3
minutes (instead of 2) you will never be an intrucer, just a suspect, no
matter how many failures you have.
this case). If no more failures happen, it discards the record and the
cycle is reset. If I get another failure within the 2 minutes, it gets
added to the count in the record and listens for 2 more minutes.
CLASS2$ sho intru
Intrusion Type Count Expiration Source
--------- ---- ----- ---------- ------
NETWORK SUSPECT 1 1-NOV-2006 12:05:25.97 CLASS2::MEHLHOP
about 30 seconds later I did a another failure
CLASS2$ sho intru
Intrusion Type Count Expiration Source
--------- ---- ----- ---------- ------
NETWORK SUSPECT 2 1-NOV-2006 12:10:25.97 CLASS2::MEHLHOP
Note this is EXACTLY LGI_BRK_TMO plus previous timeout ( 300 seconds/5 minutes) in our case
If itCorrect
does not get another failure within that 2 minutes, it discards the
record and the cycle is reset.
If the count get up OVER 5 the system willAt least See below for a better explanation
prevent a valid login for another 30 minutes,
but meanwhile the failureCorrect
count will continue to increment.
So if the "attack" continues, does the 30 minutes start after the lastOnce you have become an intruder then the timeout for the intrusion record goes to the LGI_HID_TIM
2-minute interval?
We had ours LGI_HID_TIM set to 600 seconds (10 minutes)
At 5 attempts the timeout on the intrusion record was set to 5(LGI_BRK_TMO)*5 = 25 minutes HOWEVER once we became an intruder then the timeout value on the intrusion record was set BACK to LGI_HID_TIME * (1 to 1.5) added to the CURRENT time of the failure 10-15 minutes on our system.
CLASS2$ sho intru
Intrusion Type Count Expiration Source
--------- ---- ----- ---------- ------
NETWORK SUSPECT 5 1-NOV-2006 12:20:52.01 CLASS2::WILLIAMS
CLASS2$ sho intru
Intrusion Type Count Expiration Source
--------- ---- ----- ---------- ------
NETWORK INTRUDER 6 1-NOV-2006 12:07:35.41 CLASS2::WILLIAMS
ie
What happens to the intrusion record during this?It keeps getting updated. HOWEVER an oddity that we discovered was that if you gave it a correct username/password during the hide time it did NOT change the timeout on the intrusion record, even though the count DID increment.
CLASS2$ sho intru
Intrusion Type Count Expiration Source
--------- ---- ----- ---------- ------
NETWORK INTRUDER 7 1-NOV-2006 11:55:25.45 CLASS2::WILLIAMS
CLASS2$ sho intru
Intrusion Type Count Expiration Source
--------- ---- ----- ---------- ------
NETWORK INTRUDER 8 1-NOV-2006 11:55:25.45 CLASS2::WILLIAMS
CLASS2$ sho intru
Intrusion Type Count Expiration Source
--------- ---- ----- ---------- ------
NETWORK INTRUDER 9 1-NOV-2006 11:55:25.45 CLASS2::WILLIAMS
Therefore if for 10-15 minutes (on our system) you gave it nothing but valid username/passwords it would timeout and allow you to log in at that point.
However if you had an invalid username/password during that time it would add 10-15 minutes to the time of THAT combination for the new timeout value for the intrusion record.
This is discussed in our course on VMS network and system security. There is a link to that course on the HP training website.
.
- Prev by Date: Re: Observations on Samba for VMS (CIFS Kit from HP)
- Next by Date: Re: Login Break-in LGI parameters
- Previous by thread: Re: Login Break-in LGI parameters
- Next by thread: Re: Login Break-in LGI parameters
- Index(es):
Relevant Pages
|
