Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!usc!zaphod.mps.ohio-state.edu!uakari.primate.wisc.edu!aplcen!uunet!world!bzs From: bzs@world.std.com (Barry Shein) Newsgroups: comp.unix.internals Subject: Re: Finding Passwords Message-ID: Date: 29 Sep 90 01:16:40 GMT References: <3346:Sep2422:01:3090@kramden.acf.nyu. <936@mwtech.UUCP> <25680:Sep2805:58:2290@kramden.acf.nyu.edu> Sender: bzs@world.std.com (Barry Shein) Organization: The World Lines: 55 In-Reply-To: brnstnd@kramden.acf.nyu.edu's message of 28 Sep 90 05:58:22 GMT Dan Bernstein responding to me... >> One simple and non-intrusive defense against most such attacks would >> be if, on successful login, the system would just tell you how many >> unsuccessful login attempts there have been on your account. > >That only defends against login spoofs. Um, that's what we were talking about. But it also warns about a lot of bad login attempts. Both of these are basic and nicely and easily side-step a lot of the much harder defenses people were suggesting. >It does absolutely nothing for the sort of Trojan Horse that we're >discussing. What were "we" discussing? I thought we were discussing login spoofs? It would be easy enough (and certainly not mutually exclusive) to add the other info you mention. In fact, most of the additional info you suggest is already available via the "last" command on most systems and could easily be reformatted in a login script with a shell on-liner (ok, maybe a few-liner, but nothing hairy.) But currently the number of bad attempts at your account is largely unavailable (getty does log it to the console/syslog on some systems, so that might do it if this were universally accepted, just grovel thru a log file.) A lot of it does come down to not fatiguing the one thing all this relies on: The person logging in. It's only useful if they look at the info and think for a moment. I think if a half a screenful of info were spewed at you on every login you'd start to ignore it real fast (maybe not you personally, but most people, how many people seem to have stopped reading the motd on your system long ago? Try putting a line in your motd to mail to you if they read this and see how many actually notice it.) That's why I like, at least, the very short: term = (vt100)? No new messages. 3 bad login attempts since last successful login. % let's see your output. -- -Barry Shein Software Tool & Die | {xylogics,uunet}!world!bzs | bzs@world.std.com Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD