[IRCServices] auto suspension after invalid passwords

Jonathan Morton chromi at cyberspace.org
Fri Mar 23 15:36:00 PST 2001


>Imho, the feature has good intentions but isn't very robust. Let's look at
>what it's trying to do:
>
>- Prevent a user from brute forcing the nick's password.
>
>What are we currently doing to prevent this:
>
>- Kill the user after X invalid passwords. This allows opers to see who is
>getting a password wrong _a lot_. They can then akill the person's host.
>
>What is the current method lacking:
>
>- If there are no active opers (ooops), then the user could get away with it
>for a while. So basically a temp akill might surfice. Atleast it would make
>it slightly harder for the user to brute force the nickname effectively.
>
>Finally, the chances of someone brute forcing a nickname's password are
>already small - seeing as we have a minimum password length. So, maybe this
>extra security is unnecessary?

Maybe I'm biased because it was my idea, but I think the temp AKILL would
work spendidly.  If the abuser reconnects before the AKILL expires, a
k:line is automatically added - no oper interference needed.  If by chance
it was a genuine mistake on the part of the user, they can e-mail the
admins and get the k:line lifted (when the next oper comes along), and
everything is fine.

If the abuser reconnects on a different IP, he eventually runs out of IPs -
also if an oper is watching the status window he can get rid of the abuser
without problems.  If the abuser is smart enough to wait for the AKILL
timeout before attempting to reconnect in the first place, this still slows
him down (probably enough to make it not worth his while).

I'm a strong believer in letting the server do as much work as cannot
possibly be handled by anyone other than the oper.  On any decent-sized
network, the workload on a given oper must be tremendous - anything the
server can do to reduce problems (while not introducing new ones) has to be
a good thing.

--------------------------------------------------------------
from:     Jonathan "Chromatix" Morton
mail:     chromi at cyberspace.org  (not for attachments)
big-mail: chromatix at penguinpowered.com
uni-mail: j.d.morton at lancaster.ac.uk

The key to knowledge is not to rely on people to teach you it.

Get VNC Server for Macintosh from http://www.chromatix.uklinux.net/vnc/

-----BEGIN GEEK CODE BLOCK-----
Version 3.12
GCS$/E/S dpu(!) s:- a20 C+++ UL++ P L+++ E W+ N- o? K? w--- O-- M++$ V? PS
PE- Y+ PGP++ t- 5- X- R !tv b++ DI+++ D G e+ h+ r++ y+(*)
-----END GEEK CODE BLOCK-----