bruteforce=1

I

IT_Architect

Verified User
Joined
Feb 27, 2006
Messages
1,080
Is there a time limit for the 100 attempts?

I don't see any mention here http://www.directadmin.com/features.php?id=573 about when the 100 attempts times out. If that is ever, that would not be cool because that would mean a year from now your time would be up, and but then you would have forgotten you set bruteforce=1 and off doing other crazy things like re-installing DA etc. If there is no time limit, I see it of little value and then it should be farmed off to the firewall. If there is a time limit, then it makes sense.

Thanks!
 
Hello,

The session file within DA isn't created until a valid password is passed. The brute force checker isn't session based, it's all IP based, managed server-side.

The time limit is 2 minutes.
Each "last" attempt for an IP is saved into:
/usr/local/directadmin/data/login.hist

The dataskq goes through the login.hist each time it runs to see if there are any entries where the last attempt was more than 2 minutes ago, and removes them.

Looking back on that time that is currently set, we can possibly increase the time to say 30 minutes if 2 minutes is too short, or other values if anyone has any suggestions/thoughts/reasons, etc..

John
 
Each "last" attempt for an IP is saved into: /usr/local/directadmin/data/login.hist. The dataskq goes through the login.hist each time it runs to see if there are any entries where the last attempt was more than 2 minutes ago, and removes them
Click to expand...
Meaning that for an IP to get blacklisted, it would need to find 100 or more attempts from the same IP that are less than 2 minutes old? I'll turn it on if it works that way.

Looking back on that time that is currently set, we can possibly increase the time to say 30 minutes if 2 minutes is too short, or other values if anyone has
Click to expand...
That's one attempt every 1.2 seconds 100 times in a row. It's brute force, so anything that knocks it down to human speed levels would be secure in the case of random passwords, but not necessarily dictionary attacks and short passwords. The frequency is already adjustable by changing the brutecount=. You wouldn't want it set too tight without an automatic mechanism to remove it from the blacklist. The only way it wouldn't work is if DirectAdmin's turn around from the login was >= 1.2 seconds since that would make it impossible to attain the default 100 attempts.

any suggestions/thoughts/reasons, etc..
Click to expand...
The only way you will be able to kill off all of your critics is to have adjustable parameters in the admin CP such as:
bruteforcecount=5 (5 attempts)[Null or zero turns it off]
bruuteforcetime=2 (in 2 minutes)[Null or zero turns it off]
bruteforcetimeout=30 (blacklist for 30 minutes.) [Null or zero for manual removal]
*You may need to adjust for backward compatibility.

What I really think is you need security section in the control panel that allows admins to configure the security to the level they need. This is one element of several that need to be exposed.

Thanks Tons!
 
You must log in or register to reply here.
Back
Top