On Tue, 30 Jan 2001, Eaon wrote:
> > So sprach Valdas Andrulis am Tue, Jan 30, 2001 at 01:11:48PM +0200:
> > > I have noticed, that previously when someone entered incorect username
> > > or password during login, there was the delay before another login
> > > prompt. And now (I think this happened in 7.x series) it gives login:
> > > prompt instantly, wich is bad from security view.
> >
> > You're talking about the telnet login? Well, telnet is insecure
> > anyway, so
> > that's no wonder. And after 3 unsuccessful tries the connection
> > is dropped.
> > I don't seem to understand why it's so bad - how was it in the
> > old days?
> > was the delay increased after each try? And why is it more
> > secure, if
> > there's a delay?
> >
>
> An increased or random delay between login attempts discourages brute force
> attacks using scripts that just send username/password over and over until
> they get in. Or at least, that's what I learned in school. :-)
>
> But you're right, if we're talking about telnet here, kill the service
> anyway and install SSH.
In fact this is true for all apps that use PAM for authentication. The
responsable module is /lib/security/pam_unix.so. It has option
'nodelay', so the default action should be some kind of delay. But... it
does not do it.
(pam-0.72-12mdk)
Valdas
>
> Eaon
>
>
>