1.7 Set lockout thresholds

Information

Sybase ASE supports setting lockout thresholds that define the number of incorrect
consecutive login attempts that will result in the account or role being locked. These can be
specified on a global basis (i.e. applicable to all user accounts), on a per user basis and on a
per role basis with individual settings overriding server-wide settings.

The default lockout threshold in Sybase ASE allows unlimited incorrect login attempts. At a
minimum, a global lockout threshold should be set in accordance with your organizations
password policy. It is recommended that user accounts that have powerful roles such as
sa_role or sso_role should have a stricter threshold set.

Rationale:

Allowing an attacker unlimited attempts to login to an account permits a brute force attack
to proceed unhindered, potentially leading to compromise of the database.

Solution

1. Connect to the ASE server with a user that has the sso_role and execute the
following SQL statement (note 5 should be substituted for the lockout threshold
required within your organization):

exec sp_configure 'maximum failed logins', 5

See Also

https://workbench.cisecurity.org/files/1612