LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Account lock after failed login attempts (http://www.linuxquestions.org/questions/linux-security-4/account-lock-after-failed-login-attempts-809954/)

alfonsosg 05-25-2010 04:15 AM

Account lock after failed login attempts
 
Hello!!

I'm new to these forums and this is my first post.
I'm trying to lock an account after a number of failed login attempts in a RHEL5. This is the relevant configuration in /etc/pam.d/system-auth

auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
# added to limit number of unsuccessful login attempts
auth required pam_tally.so onerr=fail deny=3 lock_time=4

account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
account required pam_tally.so

In the logs I can see how the count of failed logins increase and exceeds my deny option but the account isn't locked

pam_tally(sshd:auth): user user (503) tally 4, deny 3
pam_tally(sshd:auth): user user (503) tally 5, deny 3

Do I need any other option in the PAM file? Is there any other way to lock an account?


thanks.

TB0ne 05-25-2010 09:09 AM

Quote:

Originally Posted by alfonsosg (Post 3980371)
Hello!!

I'm new to these forums and this is my first post.
I'm trying to lock an account after a number of failed login attempts in a RHEL5. This is the relevant configuration in /etc/pam.d/system-auth

auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
# added to limit number of unsuccessful login attempts
auth required pam_tally.so onerr=fail deny=3 lock_time=4

account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
account required pam_tally.so

In the logs I can see how the count of failed logins increase and exceeds my deny option but the account isn't locked

pam_tally(sshd:auth): user user (503) tally 4, deny 3
pam_tally(sshd:auth): user user (503) tally 5, deny 3

Do I need any other option in the PAM file? Is there any other way to lock an account?
thanks.

Looks like you're missing something. These links:
http://kbase.redhat.com/faq/docs/DOC-4304
http://www.puschitz.com/SecuringLinux.shtml

might help. Your best bet for RedHat Enterprise 5 answers, would be RedHat support. You're paying for access with your RedHat subscription.

alfonsosg 05-26-2010 12:35 AM

Thanks!!

I will try those links and the RedHat support.

tanveer 06-08-2010 02:27 PM

Hi,
This works for me.
Code:

# vi /etc/pam.d/system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
# The below line is used to lock an account if user failed to authenticate 5 times and will be locked for 60 secs.
auth        required      pam_tally.so onerr=fail deny=5 unlock_time=60
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite    pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account    required      pam_unix.so
# The below line is required for account lockout due to failed login attempt
account    required      pam_tally.so reset
account    sufficient    pam_succeed_if.so uid < 500 quiet
account    required      pam_permit.so


tiemen3r 06-17-2010 06:28 PM

I think fail2ban will make your life much easier. It does exactly what you are trying to do: ban an account (or ip) after a set number of failed logins. HTH

cj_cheema 08-03-2010 07:24 AM

Hi Thanks Tanveer your solution also works for me thanks a ton..

Regards
Charanjit


All times are GMT -5. The time now is 04:57 AM.