Read the source, Luke! A login is allowed at most 10 attempts. After the third attempt, a backoff starts up. After the tenth, the login fails and is logged. Look in the source /usr/src/usr.bin/login/login.c, line 523: (void)printf("Login incorrect\n"); failures++; /* * we allow up to 'retry' (10) tries, * but after 'backoff' (3) we start backing off */ if (++cnt > backoff) { if (cnt >= retries) { badlogin(username); sleepexit(1); } sleep((u_int)((cnt - backoff) * 5)); } This code has been in there since 2.2.1 at least(I didn't check back farther). A simple test verified this behaviour. After ten login attempts, I was booted off and it was dutifully logged: Jan 3 16:17:06 <myhost> login: 10 LOGIN FAILURES FROM localhost Jan 3 16:17:06 <myhost> login: 10 LOGIN FAILURES FROM localhost, root On Sat, 2 Jan 1999, Missouri FreeNet Administration wrote: > Greetings, how is everyone after the 30 day pig-out? ;-0 > > We originally posted this problem to the FreeBSD GNATS system on > December 20th, and still haven't heard so much as an acknowledgement > of the report (GNATS#: i386/9141). I figured with the holidays, they > were all busy, and would [eventually] get to it, but today I checked > and saw that several GNATS reports on either side of this one (some > as recent as today) have been looked at, processed, and even closed! > So... > > FreeBSD 2.2.5-R (other rev's not tested) fail to log penetration attempts > on quiescent systems properly when using syslog (to any target). Failed > login attempts (*any* number of them) will not be reported until a user name > which is *different* from the failed name is entered. For example, I can > attempt to penetrate the root password *all day long* without getting a > syslog report, provided a name other than root is not entered. The reson > for this is that there is an attempt to de-verbosify syslog reporting in > FBSD which accumulates a counter for events, and then reports a cumulative > total. In this attempt to save verbiage, they are tallying all the failed > attempts, *rather* than *reporting* them! > > This is (obviously) not going to be an issue on a busy system, as > *someone* other than the target account is likely to log in and flush the > counter report, but on a selected system, such as a name server, this > could be a devastating flaw... > > > Yours, > J.A. Terranson > sysadminat_private > > -- > If Governments really want us to behave like civilized human beings, they > should give serious consideration towards setting a better example: > Ruling by force, rather than consensus; the unrestrained application of > unjust laws (which the victim-populations were never allowed input on in > the first place); the State policy of justice only for the rich and > elected; the intentional abuse and occassionally destruction of entire > populations merely to distract an already apathetic and numb electorate... > This type of demogoguery must surely wipe out the fascist United States > as surely as it wiped out the fascist Union of Soviet Socialist Republics. > > The views expressed here are mine, and NOT those of my employers, > associates, or others. Besides, if it *were* the opinion of all of > those people, I doubt there would be a problem to bitch about in the > first place... > -------------------------------------------------------------------- >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:27:10 PDT