Main Nav

I was wondering if anyone is using any software/appliance to mitigate or detect brute force attacks.  Do you do anything with blocking an IP on N number of failed attempts within a timeframe or anything similar?  Is there anything specific to something like OpenLDAP or AD?

 

-Paul

Comments

* Hodgdon, Paul [2013-03-06 16:43]: > I was wondering if anyone is using any software/appliance to > mitigate or detect brute force attacks. Do you do anything with > blocking an IP on N number of failed attempts within a timeframe or > anything similar? Is there anything specific to something like > OpenLDAP or AD? Not really what you're looking for but OpenLDAP has the password policy "overlay": http://www.openldap.org/software/man.cgi?query=slapo-ppolicy This is specific to an individual object in the DIT (e.g representing your user account) and often the IP address will not be of the attacker but of a service using the DSA for authN/authZ purposes (e.g. the IMAP service or a webserver). -peter
SJES has native support for account lock out. I'd be surprised if OpenLDAP doesn't as well. We have developed our own LDAP Kerberos plug-in compatible with SJES and 389. It logs IP addresses for reporting purposes, but instead of locking out accounts it exponentially slows failed password responses. This has the benefit of disabling brute force attacks while not negatively impacting the valid user.

Regards,

Brendan Bellina
IdM Mgr
USC

I was wondering if anyone is using any software/appliance to mitigate or detect brute force attacks.  Do you do anything with blocking an IP on N number of failed attempts within a timeframe or anything similar?  Is there anything specific to something like OpenLDAP or AD?

 

-Paul

* Hodgdon, Paul [2013-03-06 16:43]: > I was wondering if anyone is using any software/appliance to > mitigate or detect brute force attacks. Do you do anything with > blocking an IP on N number of failed attempts within a timeframe or > anything similar? Is there anything specific to something like > OpenLDAP or AD? Not really what you're looking for but OpenLDAP has the password policy "overlay": http://www.openldap.org/software/man.cgi?query=slapo-ppolicy This is specific to an individual object in the DIT (e.g representing your user account) and often the IP address will not be of the attacker but of a service using the DSA for authN/authZ purposes (e.g. the IMAP service or a webserver). -peter
SJES has native support for account lock out. I'd be surprised if OpenLDAP doesn't as well. We have developed our own LDAP Kerberos plug-in compatible with SJES and 389. It logs IP addresses for reporting purposes, but instead of locking out accounts it exponentially slows failed password responses. This has the benefit of disabling brute force attacks while not negatively impacting the valid user.

Regards,

Brendan Bellina
IdM Mgr
USC

Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.