Perl 6 - the future is here, just unevenly distributed

IRC log for #crimsonfu, 2016-06-09

crimsonfu - sysadmins who code

| Channels | #crimsonfu index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
01:29 pdurbin Huh, I wonder if this is true: http://theinvisiblethings.blogspot.com/2011/04/linux-security-circus-on-gui-isolation.html
05:36 skay_ joined #crimsonfu
05:36 prologic joined #crimsonfu
05:36 westmaas joined #crimsonfu
06:07 skay_ joined #crimsonfu
06:08 prologic joined #crimsonfu
11:11 hydrajump pdurbin: I got some advice from a pentester regarding mitigation of password bruteforcing
11:11 hydrajump he suggested rate limiting per IP **and** account
11:12 hydrajump also mentioned a concept called "entry rate limiting" meaning that a user can only enter a password every 5 seconds
11:13 hydrajump this will make bruteforcing "impossible" in his words
11:13 hydrajump at least very difficult and won't really cause any issues for a legitimate user
11:14 hydrajump hope that helps
11:30 pdurbin hydrajump: it helps a lot. Thanks! If you feel like it, please feel free to leave a comment at https://github.com/IQSS/dataverse/issues/3153
12:26 bene you could rate limit like IOS pin entries
12:26 bene you get 3 bad ones as fast as you like
12:26 bene 4th attempt you have to wait 60 seconds
12:27 bene or 30/60/120/300/900
12:27 bene i don't remember the exact number
12:27 bene but as you get close to 10 bad passwords you have to wait 24 hours to enter it
12:59 pdurbin bene: yeah, a similiar idea was floated as "maybe tarpit failed attempts with increasing lag on failures" at http://irclog.iq.harvard.edu/dataverse/2016-06-08#i_36465
13:00 bene it's a nice solution because it limits automated attacks and random griefer lockouts
13:03 pdurbin yeah
13:03 pdurbin this seems like a nice write up: http://timoh6.github.io/2015/05/07/Rate-limiting-web-application-login-attempts.html
13:05 pdurbin nothing about increasing lag though
13:10 pdurbin here we go: exponential backoff: https://github.com/kickstarter/rack-attack/wiki/Advanced-Configuration#exponential-backoff
13:10 pdurbin https://devcentral.f5.com/articles/implementing-the-exponential-backoff-algorithm-to-thwart-dictionary-attacks
13:11 pdurbin "The purpose of the exponential backoff algorithm is to increase the time between subsequent login attempts exponentially."

| Channels | #crimsonfu index | Today | | Search | Google Search | Plain-Text | summary

crimsonfu - sysadmins who code