addition to policy.conf

Brian Candler B.Candler at pobox.com
Wed Jun 6 12:15:17 CEST 2012


On Wed, Jun 06, 2012 at 01:33:35AM +0100, Matthew Newton wrote:
> > Has anyone actually *measured* what proportion of their failed logins are
> > due to usernames containing two dots, or realms which start or end with a
> > dot, or the other things the OP's regexp tests rejected?
> 
> Random sample - the whole month of May. awk/grep stats at 1am, and
> I'm ill and tired - so you choose whether to trust it or not:
> 
> 
> Less than 10 logins that had '..', or '@.' or ended in '.'.
> 
> However, 19 unique usernames that included a ' ', which consisted
> of over 15,000 login attempts, of which 11,000 were one user.
> That's one of the problems - some broken (IMO) supplicants just
> keep trying. That individual's problem? A space on the end.
> 
> Number of unique usernames with random characters - '=', '/', '#',
> ';', ',', etc. You name it, it's probably there! - around 50.
> 
> Number of login attempts to *.3gppnetwork.org - over 3,000.

Out of interest, the total number of login attempts for the month? And the
total number of rejects for the month? (So the above figures can be
visualised as "percentage of total authentications" and "percentage of total
rejects" respectively)

A more general approach would be to throttle auth attempts for any
particular username after a configured number of failures, which I think
could be done quite efficiently using the new rlm_redis module - but that
involves rather more work to set up than a simple regexp test.

Regards,

Brian.


More information about the Freeradius-Devel mailing list