For the record, programmers working from 730 to 1745
- are NOT programmers (that usually work from 2012 to 423 on odd days and holidays wink )
- are NOT allowed to take vacations, let alone long ones
- if they are programmers, they usually remember their password allright
Apparent probability level of mentioned example happening in real life between 0.47% and 0.63%.
A very generalised statement. Corporate culture vary from country to country, even city to city and corporation to corporation. At some jobs, you are forced to work during normal business hours because it require you to interact with others, in other cases (smaller corporations) you can plan your own working hours. But what do i know? I've only worked in various positions in the IT-business for 2 decades.
To go back on topic It is not wise to assume that everyone/everywhere is the same. The baseline for the current environment is what decides what is normal and what is not, even 2012 to 423 can be the norm unless it is changing and not recurring, it can also be an indicator of social problems.
A very generalised statement. Corporate culture vary from country to country, even city to city and corporation to corporation. At some jobs, you are forced to work during normal business hours because it require you to interact with others, in other cases (smaller corporations) you can plan your own working hours. But what do i know? I've only worked in various positions in the IT-business for 2 decades.
Sure ) , I was kidding.
That's what emoticons are for, to try and convey the "tone" with which something is said/written.
jaclaz
Generally speaking, you shouldn't be investigating solely failed logon attempts.
If possible you should collate information from, and correlate that information with, other logfiles from other services as well as IDS and firewall logs.
A basic understanding of how bruteforcing, manual and automated alike, works is also mandatory if you are to understand what sort of thresholds apply (most skiddies, for instance, won't mess with pre-programmed bruteforcer settings because they don't know how to do so).
Another idea would be to sit down and take a look at what tools like portsentry & denyhost do and how they go about doing what they do and what sort of settings they have in their config files.
You should find plenty of material regarding bruteforcing and anti-bruteforcing techniques out there, its an old technique with equally old countermeasures.
And you should be particularly careful of the whole threshold bit, especially since there is no one specific threshold that applies universally. You usually have to adjust it on a relatively regular basis, taking into account variations such as trend and seasonality.
Plenty of literature out there (in scientific publications and hacker ezines alike) for all this.