Connection Problem with 4.1.2 and "Too Many Security Failures"

Don Estes donestes "at" donestes.com
Mon Jul 31 17:31:01 2006 

The following smells like a bug to me.  Please advise if you 
agree.  Also note the question below.

I hit the "too many security failures" situation trying to remotely 
access a system with problems.  OK, I understand the blacklist, 
timeout and recovery implementation from other postings to this 
list.  But a strange thing happens when I try to connect again: I get 
an apparent connection (post-timeout), it asks for the password, and 
immediately switches to the "Do you want to try again" message along 
with the "Too many security failures" message.

Now, initially, I was interpreting this as meaning that I was getting 
a connection but I was still failing the authentication.  It happened 
on three different computers on my home network, though one was a 
virtual computer running W2K under VMWare.  However, when I dialed 
into the Internet and tried a connection I got "unable to connect to 
host: connection timed out (10060)".  The same thing happened when I 
took my laptop to work and used my connection there.  And finally, my 
(remote) son attempted the same connection with the same results.

I am still struggling to get the remote system correctly operating 
(it appears to have a problem unrelated to VNC), so until I am able 
to clear this I don't have a definitive case.

However, my interpretation of what I am seeing is as follows:

1.  When attempting to connect from the blacklisted IP address, the 
Viewer misses the connection time-out failure and proceeds as if it 
had a successful connection.

2.  When attempting to authenticate against the apparently successful 
connection (that was nonetheless unsuccessful), it gets a timeout 
failure and treats that event as if the password were incorrect, 
re-blacklisting the IP address.

3.  When I can connect from another IP address, the networked IP 
address will successfully connect and clear the blacklist.

Do you agree?

Question: where is the authentication blacklisting occurring?  I 
assumed that it should be happening at the remote system, but that 
would appear to be contrary to the observation that I cannot get a 
connect from 3 IP addresses that have not been blacklisted.