Re: intel equipment

[kain () EGOTRIP DK (Knud Erik Højgaard)]

I was tired when i wrote that other thing..sorry...the idea in my head was
disallowing connections from the ip supplying the number of wrong
passwords. of course, you could then use wingates or whatever, but anyways
it would stop the unlimited number of attempts, since there are only a
limited number of insecure wingates out there. On the other hand, an
important thing when bruteforcing is speed, and disconnecting the user
would slow down the attack considerably. I noticed the Intel router in
question was nice enough to let me have two concurrent sessions...i had
more thoughts, but im too tired(again). something might pop up later

Knud Erik Højgaard

At , you wrote:
> At 10:06 19-03-00 -0800, you wrote:
> > > Knud,
> > >
> > > AFAIK, all intel switches that have a layer 3 interface come with no
> > > default username or password. Also, the snmp community strings are
> > > public/private.
> > >
> > > Sigh.
> >
> >      Before you configure them, they have no IP adress and can only be remotely
> > managed immediately after startup by answering their BOOTP requests. As soon
> > as you use the software Intel supplies to configure them, they lock
> > management down to the IP address of the management station. They can also
> > send out SNMP traps when people connect from unauthorized IP addresses or
> > use bad passwords.
> >
> >      Somebody had to assign that switch an IP address and password but not set
> > any limits on what IP addresses could manage it. That's not particularly
> > bright.
> >
> >      As for whether breaking connections after a fixed number of tries is a good
> > idea, I don't believe it is. It's no harder to write a program to try 1000
> > passwords on one connection than it is to write one to try one password,
> > disconnect, and repeat. So how would that provide any protection against
> > brute force attacks?
> >
> >      DS