Account Lockout Policy in Linux?

wardialer · 02-26-2005, 07:47 PM

What are the commands or directory were I could set the number of Bad logon attemps and so forth??? Running MDK Linux 9.1

nilleso · 02-26-2005, 08:31 PM

/etc/default/login methinks ... view the other /etc/default/* files for other possibilities
don't have access to a linux machine right now to confirm

cheers

wardialer · 02-26-2005, 08:40 PM

It just has useradd in there. I cant beleive this. This is actually a Linux forum and getting lack of responses here.

Capt_Caveman · 02-26-2005, 10:18 PM

You need to use pam_tally in /etc/pam.d/system-auth. Here is a good guide to implememting it:

http://www.puschitz.com/SecuringLinu...yLoginFailures

Keep in mind that there is a very good reason why this isn't a default in linux...it makes performing a DoS attack trivial if someone realizes your using this in your authentication policy.

wardialer · 02-27-2005, 11:41 AM

Interesting. I have the whole document printed out last week!!!!!!

But, I dont think I have PAM installed. I will have to have the PAM package installed. And I will do that.

WOW!!!! Yes, I would have to agree that this document is really really great.

wardialer · 04-04-2005, 01:06 AM

I looked at the link. But I do not have the $ISA thing there....So what should I do in this case??? Please explain.

account required /lib/security/$ISA/pam_tally.so per_user deny=5 no_magic_root reset

Here what I have in the /etc/pam.d/system-auth/ directory: What do I need to do if wanted to have 3 LOGIN failure attempts???

Code:

#%PAM-1.0

auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so

password    required      /lib/security/pam_cracklib.so retry=3 minlen=4  dcredit=0  ucredit=0 
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so

Capt_Caveman · 04-04-2005, 01:24 AM

Just use the path to pam_tally.so. To find the path, use: 'locate pam_tally.so' or use find / -name pam_tally.so. Then just use the full path instead of the one listed in the guide so for me it would look like this:

Code:

[root@localhost ~]locate pam_tally.so
/lib/security/pam_tally.so
[root@localhost ~]

So I would then use:
account required /lib/security/pam_tally.so per_user deny=5 no_magic_root reset

The above rule would lock a user out after 5 failed attempts, so if you wanted only 3 failures then just replace the '5' with a '3' in the rule. Once you made the required modifications, make sure that you've added all the required entries and double and triple check the syntax to make sure that it looks like the example in the link (though your path to the libs may be different).

wardialer · 04-04-2005, 01:11 PM

Ok, once I locate the pam_tally.iso in the SHell Console command, then after that, what do I need to do?
Do I have to type in this after it locates the pam_tally.iso??? See below:

account required /lib/security/pam_tally.so per_user deny=5 no_magic_root reset

So, after it locates it, then where do I need to type this information in?? Would I have to type it in the same Shell Konsole??? Please explain or give me another example please...

wardialer · 04-04-2005, 07:06 PM

Ok, I did the following but no luck...can you assist me here a bit?

Code:

[root@localhost vin001]# locate pam_tally.so
warning: locate: warning: database /var/lib/slocate/slocate.db' is more than 8 days old
/lib/security/pam_tally.so
[root@localhost vin001]# account required /lib/security/pam_tally.so per_user deny=5 no_magic_root reset
bash: account: command not found
[root@localhost vin001]#

I then went into GEDIT and tried to open this directory /lib/security/pam_tally.so but the error said "Could not Open because of Invalid UTF-8 data "

So what should I do here next???

Thank you

Krugger · 04-04-2005, 07:15 PM

you must have that lib if you got mandrakes pam rpm.

try doing

updatedb

and then the locate

Capt_Caveman · 04-04-2005, 09:30 PM

It looks like it found the lib and is just showing a warning that the db is old.

I then went into GEDIT and tried to open this directory /lib/security/pam_tally.so but the error said "Could not Open because of Invalid UTF-8 data "
That's cause you are trying to edit the lib which isn't text file. You shouldn't be editing the lib anyway, follow the instructions in the guide. You should be modifying /etc/pam.d/system-auth. Just substitute the path to the pam_tally.so file on your system in place of the one in the guide like this:

Code:

Add the following two lines highlighted in bold to the /etc/pam.d/system-auth file as shown below:

auth        required      /lib/security/pam_env.so
auth        required      /lib/security/pam_tally.so onerr=fail no_magic_root
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        required      /lib/security/pam_deny.so
account     required      /lib/security/pam_unix.so
account     required      /lib/security/pam_tally.so per_user deny=5 no_magic_root reset
account     sufficient    /lib/security/pam_succeed_if.so uid < 100 quiet
account     required      /lib/security/pam_permit.so
password    requisite     /lib/security/pam_cracklib.so retry=3
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow
password    required      /lib/security/pam_deny.so
session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so

Only add the lines in bold and don't modify any other lines.

I'm going to give you some advice here. You should not make any modifications to that file unless you can tell me how you are going to prevent root from getting locked out. The above instructions will lock all users including root out of the system after 5 failed logins. You absolutely must have a way to keep root from being locked out, otherwise the next time sshbrute is run against your system, root WILL BE LOCKED OUT and you will not be able to log on or su to root.

wardialer · 04-04-2005, 10:12 PM

Well, I'll take your WARNING... I will not do this at all...

Because I use very very very AND VERY STRONG Passwords for both ROOT and USER.... so I dont think there is no need for this. And plus, I am firewalled too...

Thanks dude..

Capt_Caveman · 04-04-2005, 10:41 PM

No problem, I think it's a wise choice. If you have good passwords, then you don't have anything to worry about. If you are still worried, switch to key-based authentication.

victvishwa · 02-19-2009, 08:25 AM

Does this work in Redhat Enterprise Linux 5?

I tried the same , it didnt.

Thanks
Kasi VPS

jschiwal · 02-19-2009, 08:37 AM

Edit the /etc/pam.d/login (for Fedora anyway) file.

If there isn't a /var/log/faillog, you may need to create an empty file before it starts working.
sudo touch /var/log/faillog