Re: FAILED_LOGIN _ATTEMPTS issue

On Thu, Dec 11, 2008 at 5:55 AM, Remigiusz Sokolowski < remigiusz.sokolowski_at_nordea.com> wrote:

> hi,
>
> I wonder how do You deal with FAILED_LOGIN _ATTEMPTS issue in a day to
> day practice.
> This part of profile is thought of as a countermeasure against "brute
> force" attacks on password, however dark side of it is a blocking an
> account.
>

You can use a profile to limit the number of attempts that may be made against a single account.

http://download.oracle.com/docs/cd/B28359_01/server.111/b28286/statements_6010.htm#i2065930

The failed_login_attempts parameter can be used to lock the account after N consecutive failed login attempts.

The password_lock_time parameter can be used to lock the account for N days after the failed login attempts threshold is reached, where N can be a fraction of a day.

eg. a value of 0.0104 would lock the account for approximately 15 minutes.

>
> The "ideal" solution to this issue would be to allow a client identified
> by IP to connect with for example only its own account or few chosen
> accounts.
> Any thoughts?
>

If the connections are made through an application server, using tcp.validnode_checking
to specify which clients may connect may be feasible.

If there's a large number of clients that connect directly to the database, this
would probably be rather unwieldy.

There's probably other options available if you check into the Advanced Security Option. Personally, I have no experience with that.

Jared Still
Certifiable Oracle DBA and Part Time Perl Evangelist

--
http://www.freelists.org/webpage/oracle-l