Failed login attemp...
 
Notifications
Clear all

Failed login attempt threshold - When to investigate?

13 Posts
9 Users
0 Reactions
4,774 Views
MDCR
 MDCR
(@mdcr)
Reputable Member
Joined: 15 years ago
Posts: 376
 

For the record, programmers working from 730 to 1745

  • are NOT programmers (that usually work from 2012 to 423 on odd days and holidays wink )
  • are NOT allowed to take vacations, let alone long ones
  • if they are programmers, they usually remember their password allright

Apparent probability level of mentioned example happening in real life between 0.47% and 0.63%.

A very generalised statement. Corporate culture vary from country to country, even city to city and corporation to corporation. At some jobs, you are forced to work during normal business hours because it require you to interact with others, in other cases (smaller corporations) you can plan your own working hours. But what do i know? I've only worked in various positions in the IT-business for 2 decades.

To go back on topic It is not wise to assume that everyone/everywhere is the same. The baseline for the current environment is what decides what is normal and what is not, even 2012 to 423 can be the norm unless it is changing and not recurring, it can also be an indicator of social problems.


   
ReplyQuote
jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
 

A very generalised statement. Corporate culture vary from country to country, even city to city and corporation to corporation. At some jobs, you are forced to work during normal business hours because it require you to interact with others, in other cases (smaller corporations) you can plan your own working hours. But what do i know? I've only worked in various positions in the IT-business for 2 decades.

Sure ) , I was kidding.

That's what emoticons are for, to try and convey the "tone" with which something is said/written.

jaclaz


   
ReplyQuote
(@darksyn)
Trusted Member
Joined: 17 years ago
Posts: 50
 

Generally speaking, you shouldn't be investigating solely failed logon attempts.

If possible you should collate information from, and correlate that information with, other logfiles from other services as well as IDS and firewall logs.

A basic understanding of how bruteforcing, manual and automated alike, works is also mandatory if you are to understand what sort of thresholds apply (most skiddies, for instance, won't mess with pre-programmed bruteforcer settings because they don't know how to do so).

Another idea would be to sit down and take a look at what tools like portsentry & denyhost do and how they go about doing what they do and what sort of settings they have in their config files.

You should find plenty of material regarding bruteforcing and anti-bruteforcing techniques out there, its an old technique with equally old countermeasures.

And you should be particularly careful of the whole threshold bit, especially since there is no one specific threshold that applies universally. You usually have to adjust it on a relatively regular basis, taking into account variations such as trend and seasonality.

Plenty of literature out there (in scientific publications and hacker ezines alike) for all this.


   
ReplyQuote
Page 2 / 2
Share: