Discussion in 'Business & Enterprise Computing' started by elvis, Jul 1, 2008.
A four letter word with c u and t?
Damn right they're cute!
I've mentioned before that one of our software suppliers have a clown based service that's just a forklift move of their app to Azure with RDP open to the web, and no security beyond complex usernames/passwords (no account lockouts, no IP bans for constant incorrect attempts etc) and they were getting significant numbers of actual attempts on both usernames and passwords - enough that the security event log didn't last a full day due to how many incorrect username/password attempts they were getting - they were also unaware of this until I flagged it as a major concern.
Well we had to remove the account lockout policy....our accounts kept getting locked out for some unknown reason
Yes cert based auth. and these were active attempts, windows security logs were showing fairly common names (So list based) but not common to the business. and all accounts have a hard limit of 10 attempts and account locked, this also includes firewall based accounts as well as AD.
Account lockouts after X attempts on an account looks like a nice way to DOS someone. Just find a company's list of logins and spam them all.
Lockout based on attempts from an IP would be the better way to go.
This is how fail2ban works by default. Can be configured any way you like of course.
A combination of the 2 is likely needed (and/or other layers), especially for commonly attacked things such as RDP - just blocking by IP doesn't prevent a botnet attempting to brute force as they could change the IP used to attack every X attempts to get around IP blocks.
So script kiddies could guess account names?
BAN the offending IP for 48hrs and whitelist the appropriate IPs of your infrastructure, I do this everyday on systems I build and after 2 days banned IPs level off and months later you have 20ish IPs instead of 100s as the script kiddies move to greener pastures.
Why is this even a debate, it is IDS 101, first layer policy!
Guess thats why certificate rule my world, passwords are for sudo only.
Not sure if you missed it but I was being intentionally obtuse there. But to answer your question anyway yes it is sometimes possible to determine account names, and I'd say that a vast majority of business use a standard naming practice for their account names which both makes it easier to guess the standard and makes it far easier to extrapolate further once you determine the standard in use (get your employee lists from linkedin, facebook, call them and see if they have an IVR/Phone directory, check their website for an employee directory etc).
As you say it's a first layer policy, not an only layer policy - I'm agreeing there, use IP bans, they are a very valid layer of security, they're just not the only layer you should use.
We tattoo GUIDs on new employees and they login with that.
I know, I've done my OSINT on your company - please tell the employee ending in CBED8 they post too many damn selfies on facebook.
He's probably lucky the IT guy didn't set the cat's third eye for retina scan login.
"To login, please present your cat's arse..."
Jokes on you, that was a honey-employee.
So that wasn't really her in the fursuit pics‽ Damn.
It was probably Pablo.
The day I can use my implants to log into shit will be a glorious one. Bring on NFC auth.
Updoot for interrobang.
I have a rather strange friend who has had a RFID chip implanted in his hand. I think he's gotten Mkyi (local public transport pass) working on it OK.