[ZendTo] Re: Local IP and Request Code
Jason Ede
J.Ede at birchenallhowden.co.uk
Mon Mar 21 09:32:23 GMT 2011
Yes, but if you only have machines trying a few codes at a time and then moving on which you could see with a botnet then fail2ban won't help much as by the time it responds then it's too late as that machine has stopped trying.
From: zendto-bounces at zend.to [mailto:zendto-bounces at zend.to] On Behalf Of Barry Kwok
Sent: 21 March 2011 09:21
To: ZendTo Users
Subject: [ZendTo] Re: Local IP and Request Code
On Mon, Mar 21, 2011 at 5:08 PM, Jules <Jules at zend.to<mailto:Jules at zend.to>> wrote:
On 21/03/2011 08:47, Barry Kwok wrote:
2. Request code
Should it be more easier to dictate over phone If use digits instead. (eg. 5 digits. I think it is secure enough)
It would need to be a lot more than 5 digits. Imagine what happens if someone tries to break it with 10,000 PCs all trying 5 numbers per second, which is quite possible. You need to be proof against massive-scale attacks like that, or they can and will brute-force it. I would say 9 digits at least. At which point 3 words are probably more reliably input.
I thinkk brute-force attack should be protected by other means instead. eg. fail2ban can block ip address by reading a log file.
-- barry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110321/afef1903/attachment.html
More information about the ZendTo
mailing list