LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-25-2010, 04:15 AM   #1
alfonsosg
LQ Newbie
 
Registered: May 2010
Posts: 2

Rep: Reputation: 0
Account lock after failed login attempts


Hello!!

I'm new to these forums and this is my first post.
I'm trying to lock an account after a number of failed login attempts in a RHEL5. This is the relevant configuration in /etc/pam.d/system-auth

auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
# added to limit number of unsuccessful login attempts
auth required pam_tally.so onerr=fail deny=3 lock_time=4

account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
account required pam_tally.so

In the logs I can see how the count of failed logins increase and exceeds my deny option but the account isn't locked

pam_tally(sshd:auth): user user (503) tally 4, deny 3
pam_tally(sshd:auth): user user (503) tally 5, deny 3

Do I need any other option in the PAM file? Is there any other way to lock an account?


thanks.
 
Old 05-25-2010, 09:09 AM   #2
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 14,409

Rep: Reputation: 2529Reputation: 2529Reputation: 2529Reputation: 2529Reputation: 2529Reputation: 2529Reputation: 2529Reputation: 2529Reputation: 2529Reputation: 2529Reputation: 2529
Quote:
Originally Posted by alfonsosg View Post
Hello!!

I'm new to these forums and this is my first post.
I'm trying to lock an account after a number of failed login attempts in a RHEL5. This is the relevant configuration in /etc/pam.d/system-auth

auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
# added to limit number of unsuccessful login attempts
auth required pam_tally.so onerr=fail deny=3 lock_time=4

account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
account required pam_tally.so

In the logs I can see how the count of failed logins increase and exceeds my deny option but the account isn't locked

pam_tally(sshd:auth): user user (503) tally 4, deny 3
pam_tally(sshd:auth): user user (503) tally 5, deny 3

Do I need any other option in the PAM file? Is there any other way to lock an account?
thanks.
Looks like you're missing something. These links:
http://kbase.redhat.com/faq/docs/DOC-4304
http://www.puschitz.com/SecuringLinux.shtml

might help. Your best bet for RedHat Enterprise 5 answers, would be RedHat support. You're paying for access with your RedHat subscription.
 
Old 05-26-2010, 12:35 AM   #3
alfonsosg
LQ Newbie
 
Registered: May 2010
Posts: 2

Original Poster
Rep: Reputation: 0
Thanks!!

I will try those links and the RedHat support.
 
Old 06-08-2010, 02:27 PM   #4
tanveer
Member
 
Registered: Feb 2004
Location: e@rth
Distribution: RHEL-3/4/5,Gloria,opensolaris
Posts: 489

Rep: Reputation: 37
Hi,
This works for me.
Code:
# vi /etc/pam.d/system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
# The below line is used to lock an account if user failed to authenticate 5 times and will be locked for 60 secs.
auth        required      pam_tally.so onerr=fail deny=5 unlock_time=60
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
# The below line is required for account lockout due to failed login attempt
account     required      pam_tally.so reset
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so
 
1 members found this post helpful.
Old 06-17-2010, 06:28 PM   #5
tiemen3r
LQ Newbie
 
Registered: Jun 2010
Location: Amsterdam
Distribution: CentOS, Debian
Posts: 15

Rep: Reputation: 1
I think fail2ban will make your life much easier. It does exactly what you are trying to do: ban an account (or ip) after a set number of failed logins. HTH
 
Old 08-03-2010, 07:24 AM   #6
cj_cheema
Member
 
Registered: Mar 2006
Location: INDIA
Distribution: RedHat, SuSE, Debian
Posts: 156

Rep: Reputation: 15
Hi Thanks Tanveer your solution also works for me thanks a ton..

Regards
Charanjit
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
lock user account after failed login attempts with FC 10 hv905c Linux - Security 1 05-18-2009 08:44 PM
Configure Failed logins to lock accounts after 5 failed attempts mccartjd Linux - Newbie 5 05-05-2008 08:02 AM
lock root account after 3 login attempts - RHEL AS 3 jrparker2005 Red Hat 1 05-17-2005 12:43 PM
lock password after failed attempts... manudath Linux - Security 2 04-28-2005 10:55 AM
Lock account after successive login attempts herrmag Linux - Newbie 1 02-03-2005 06:10 PM


All times are GMT -5. The time now is 09:35 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration