/etc/failures

[kai at uicsrd.csrd.uiuc.edu]

> /* Written by smb at ulysses.homer.nj.att.com */
>
>> kai at uicsrd.csrd.uiuc.edu writes:
>> 1)  If a login of a single account name at a single terminal fails 3 times in
>> a row within a short period of time, that account is temporarily disallowed
>> from logging in on that terminal.
>> 2)  If a login of a single account at multiple terminals fails 3 times in a
>> row, the account is temporarily disallowed from logging in at any terminal.
>> 3)  If logins of any accounts at a single terminal fails 6 times in a row,
>> that terminal is temporarily disabled.
>
> What's a ``terminal'' to be disabled?
> ... folks are using some sort of port selector, front-end switch, Ethernet
> TAC, etc.  It's rare that any physical port can be associated with a
> login attempt.

Our work environment consists of multiple Encore Annex ethernet terminal
servers providing access to any host from any terminal in the building, so I
understand what you're saying.

I would consider all network connections from a single network host, terminal
server, or data switch as a single "terminal" when disallowing logins.
Unfortunately, then someone could temporarily stop all access from a data
switch by purposefully incorectly logging in multiple times from multiple
accounts.  Does anyone else have any better approach?

This demonstrates a significant advantage of the Annex terminal server over
all other terminals servers or data switches I've ever used, that in a
security concious environment they can be configured to require a valid
username/password be verified by a local "security server" host before access
to the terminal server command line is given, and to approve and log all
attempts at network connections.  With these features enabled, it's easy to
identify who is attempting a breakin.


Patrick Wolfe  (pat at kai.com, kailand!pat)
System Manager, Kuck and Associates, Inc.

#include <cynical/witty.remark>