From: Jared Still <>
Date: Thu, 11 Dec 2008 09:04:30 -0800
Message-ID: <>

On Thu, Dec 11, 2008 at 5:55 AM, Remigiusz Sokolowski <> wrote:

> hi,
> I wonder how do You deal with FAILED_LOGIN _ATTEMPTS issue in a day to
> day practice.
> This part of profile is thought of as a countermeasure against "brute
> force" attacks on password, however dark side of it is a blocking an
> account.

You can use a profile to limit the number of attempts that may be made against a single account.

The failed_login_attempts parameter can be used to lock the account after N consecutive failed login attempts.

The password_lock_time parameter can be used to lock the account for N days after the failed login attempts threshold is reached, where N can be a fraction of a day.

eg. a value of 0.0104 would lock the account for approximately 15 minutes.

> The "ideal" solution to this issue would be to allow a client identified
> by IP to connect with for example only its own account or few chosen
> accounts.
> Any thoughts?

If the connections are made through an application server, using tcp.validnode_checking
to specify which clients may connect may be feasible.

If there's a large number of clients that connect directly to the database, this
would probably be rather unwieldy.

There's probably other options available if you check into the Advanced Security Option. Personally, I have no experience with that.

Jared Still
Certifiable Oracle DBA and Part Time Perl Evangelist

Received on Thu Dec 11 2008 - 11:04:30 CST

Original text of this message