Re: [cobalt-security] [Qube2] Admin Account

[Theodore Jones <theoj@xxxxxxxxxxxxx>]

Is there any additional appache module or config setting that >would< enforce a
time delay between each try and a bump-off after a limited number of tries?  I'm
looking for something other than a cgi script..

~ Theo


"Åke Brännström" wrote:

> On Sun, 11 Jun 2000, you wrote:
>
> > Anyone familiar with Cobalt knows the default administrative account is named
> > admin. Hence, one can focus one's pw attack on the userid admin. Since both
> > admin and root share the same password, getting to admin means that root is
> > also available.
> [...]
> > Seems to me that this is a risk exposure that should not be open? Am I being
> > overly cautious?
>
> The only problem with the admin account that I can think of is that is that the
> admin password is used to authenticate you when you administer your Qube from
> the web. Normally, Apache gives you unlimited tries for the password and
> doesn't enforce a time delay between each try. I don't know if this kind of
> attack is possible on the Qube, but I would think so.
>
> Other than this, it doesn't matter if everyone knows the usernames of admin and
> root. You should choose a password that is so good that it can't be guessed
> instead of messing things up by renaming users. It will only give you a false
> sense of security.
>
> Sincerely,
> Ake Brannstrom
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security