[ZendTo] Re: Local IP and Request Code

Jason Ede J.Ede at birchenallhowden.co.uk
Mon Mar 21 09:32:23 GMT 2011


Yes, but if you only have machines trying a few codes at a time and then moving on which you could see with a botnet then fail2ban won't help much as by the time it responds then it's too late as that machine has stopped trying.

From: zendto-bounces at zend.to [mailto:zendto-bounces at zend.to] On Behalf Of Barry Kwok
Sent: 21 March 2011 09:21
To: ZendTo Users
Subject: [ZendTo] Re: Local IP and Request Code


On Mon, Mar 21, 2011 at 5:08 PM, Jules <Jules at zend.to<mailto:Jules at zend.to>> wrote:


On 21/03/2011 08:47, Barry Kwok wrote:
2. Request code
Should it be more easier to dictate over phone If use digits instead. (eg. 5 digits. I think it is secure enough)

It would need to be a lot more than 5 digits. Imagine what happens if someone tries to break it with 10,000 PCs all trying 5 numbers per second, which is quite possible. You need to be proof against massive-scale attacks like that, or they can and will brute-force it. I would say 9 digits at least. At which point 3 words are probably more reliably input.





I thinkk brute-force attack should be protected by other means instead. eg. fail2ban can block ip address by reading a log file.

-- barry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110321/afef1903/attachment.html 


More information about the ZendTo mailing list