Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Where are FAILED_LOGIN_ATTEMPTS recorded?

Re: Where are FAILED_LOGIN_ATTEMPTS recorded?

From: DA Morgan <damorgan_at_psoug.org>
Date: Wed, 17 Oct 2007 09:13:20 -0700
Message-ID: <1192637589.903858@bubbleator.drizzle.com> 





Jim Smith wrote:

> In message <1192550482.227729.88850_at_t8g2000prg.googlegroups.com>, 
> "fitzjarrell_at_cox.net" <fitzjarrell_at_cox.net> writes




>> Comments embedded.

>> On Oct 16, 10:04 am, "deebe..._at_gmail.com" <deebe..._at_gmail.com> wrote:

>>> Hi,

>>>

>>> Using 10gR2 - trying to find out where FAILED_LOGIN_ATTEMPTS are

>>> recorded.

>>

>> I doubt you'll find it anywhere.

>>

>>> FAILED_LOGIN_ATTEMPTS is currently set to 10 as per the Default

>>> profile.

>>>

>>> There is no auditing in place but failed logins for users must be

>>> recorded somewhere (ie internal table) for the profile to work.

>>

>> Why?  Consider this:

>>

>> SQL>


>> SQL> set serveroutput on size 1000000

>> SQL>


>> SQL> declare

>>  2     login_trys number;

>>  3     cursor get_failed_login_lim is

>>  4     select limit

>>  5     from dba_profiles

>>  6     where resource_name = 'FAILED_LOGIN_ATTEMPTS'

>>  7     and limit <> 'UNLIMITED';

>>  8  begin

>>  9     open get_failed_login_lim;

>> 10     fetch get_failed_login_lim into login_trys;

>> 11     close get_failed_login_lim;

>> 12

>> 13     for tries in 1..6 loop

>> 14             if tries > login_trys then

>> 15                     dbms_output.put_line('BZZZZZZT!!!! Account

>> locked!!!');

>> 16             else

>> 17                     dbms_output.put_line('Keep trying ...');

>> 18             end if;

>> 19     end loop;

>> 20  end;

>> 21  /

>> Keep trying ...

>> Keep trying ...

>> Keep trying ...

>> Keep trying ...

>> Keep trying ...

>> BZZZZZZT!!!! Account locked!!!

>>

>> PL/SQL procedure successfully completed.

>>

>> SQL>


>>

>> The code processing the login attempts can 'store' the failed tries in

>> memory and still function as required.  The only static value in this

>> process is the setting for FAILED_LOGIN_ATTEMPTS, so that's all that

>> needs to be stored in the database.

>>


> 
> This would fail across database restart. I've not really tested, but I 
> would expect a failed login lock to work for N consecutive failures 
> across a longer period, including after database restart





You can only lock an account if the username is correct. This will not
prevent some forms of brute force attack.

-- 
Daniel A. Morgan
University of Washington
damorgan_at_x.washington.edu (replace x with u to respond)
Puget Sound Oracle Users Group
www.psoug.org


Received on Wed Oct 17 2007 - 11:13:20 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US