LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Closed Thread
 
Search this Thread
Old 02-26-2005, 07:47 PM   #1
wardialer
Member
 
Registered: Sep 2004
Distribution: SUSE Linux Pro 9.3
Posts: 375

Rep: Reputation: 30
Account Lockout Policy in Linux?


What are the commands or directory were I could set the number of Bad logon attemps and so forth??? Running MDK Linux 9.1
 
Old 02-26-2005, 08:31 PM   #2
nilleso
Member
 
Registered: Nov 2004
Location: ON, CANADA
Distribution: ubuntu, RHAS, and other unmentionables
Posts: 372

Rep: Reputation: 31
/etc/default/login methinks ... view the other /etc/default/* files for other possibilities
don't have access to a linux machine right now to confirm

cheers
 
Old 02-26-2005, 08:40 PM   #3
wardialer
Member
 
Registered: Sep 2004
Distribution: SUSE Linux Pro 9.3
Posts: 375

Original Poster
Rep: Reputation: 30
It just has useradd in there. I cant beleive this. This is actually a Linux forum and getting lack of responses here.
 
Old 02-26-2005, 10:18 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
You need to use pam_tally in /etc/pam.d/system-auth. Here is a good guide to implememting it:

http://www.puschitz.com/SecuringLinu...yLoginFailures

Keep in mind that there is a very good reason why this isn't a default in linux...it makes performing a DoS attack trivial if someone realizes your using this in your authentication policy.

Last edited by Capt_Caveman; 02-26-2005 at 10:20 PM.
 
Old 02-27-2005, 11:41 AM   #5
wardialer
Member
 
Registered: Sep 2004
Distribution: SUSE Linux Pro 9.3
Posts: 375

Original Poster
Rep: Reputation: 30
Interesting. I have the whole document printed out last week!!!!!!

But, I dont think I have PAM installed. I will have to have the PAM package installed. And I will do that.

WOW!!!! Yes, I would have to agree that this document is really really great.
 
Old 04-04-2005, 01:06 AM   #6
wardialer
Member
 
Registered: Sep 2004
Distribution: SUSE Linux Pro 9.3
Posts: 375

Original Poster
Rep: Reputation: 30
I looked at the link. But I do not have the $ISA thing there....So what should I do in this case??? Please explain.

account required /lib/security/$ISA/pam_tally.so per_user deny=5 no_magic_root reset

Here what I have in the /etc/pam.d/system-auth/ directory: What do I need to do if wanted to have 3 LOGIN failure attempts???



Code:
#%PAM-1.0

auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so

password    required      /lib/security/pam_cracklib.so retry=3 minlen=4  dcredit=0  ucredit=0 
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so

Last edited by wardialer; 04-04-2005 at 01:10 AM.
 
Old 04-04-2005, 01:24 AM   #7
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Just use the path to pam_tally.so. To find the path, use: 'locate pam_tally.so' or use find / -name pam_tally.so. Then just use the full path instead of the one listed in the guide so for me it would look like this:
Code:
[root@localhost ~]locate pam_tally.so
/lib/security/pam_tally.so
[root@localhost ~]
So I would then use:
account required /lib/security/pam_tally.so per_user deny=5 no_magic_root reset

The above rule would lock a user out after 5 failed attempts, so if you wanted only 3 failures then just replace the '5' with a '3' in the rule. Once you made the required modifications, make sure that you've added all the required entries and double and triple check the syntax to make sure that it looks like the example in the link (though your path to the libs may be different).
 
Old 04-04-2005, 01:11 PM   #8
wardialer
Member
 
Registered: Sep 2004
Distribution: SUSE Linux Pro 9.3
Posts: 375

Original Poster
Rep: Reputation: 30
Ok, once I locate the pam_tally.iso in the SHell Console command, then after that, what do I need to do?
Do I have to type in this after it locates the pam_tally.iso??? See below:

account required /lib/security/pam_tally.so per_user deny=5 no_magic_root reset


So, after it locates it, then where do I need to type this information in?? Would I have to type it in the same Shell Konsole??? Please explain or give me another example please...
 
Old 04-04-2005, 07:06 PM   #9
wardialer
Member
 
Registered: Sep 2004
Distribution: SUSE Linux Pro 9.3
Posts: 375

Original Poster
Rep: Reputation: 30
Ok, I did the following but no luck...can you assist me here a bit?

Code:
[root@localhost vin001]# locate pam_tally.so
warning: locate: warning: database /var/lib/slocate/slocate.db' is more than 8 days old
/lib/security/pam_tally.so
[root@localhost vin001]# account required /lib/security/pam_tally.so per_user deny=5 no_magic_root reset
bash: account: command not found
[root@localhost vin001]#
I then went into GEDIT and tried to open this directory /lib/security/pam_tally.so but the error said "Could not Open because of Invalid UTF-8 data "

So what should I do here next???

Thank you

Last edited by wardialer; 04-04-2005 at 07:10 PM.
 
Old 04-04-2005, 07:15 PM   #10
Krugger
Member
 
Registered: Oct 2004
Posts: 229

Rep: Reputation: 30
you must have that lib if you got mandrakes pam rpm.

try doing

updatedb

and then the locate
 
Old 04-04-2005, 09:30 PM   #11
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
It looks like it found the lib and is just showing a warning that the db is old.

I then went into GEDIT and tried to open this directory /lib/security/pam_tally.so but the error said "Could not Open because of Invalid UTF-8 data "
That's cause you are trying to edit the lib which isn't text file. You shouldn't be editing the lib anyway, follow the instructions in the guide. You should be modifying /etc/pam.d/system-auth. Just substitute the path to the pam_tally.so file on your system in place of the one in the guide like this:

Code:
Add the following two lines highlighted in bold to the /etc/pam.d/system-auth file as shown below:

auth        required      /lib/security/pam_env.so
auth        required      /lib/security/pam_tally.so onerr=fail no_magic_root
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        required      /lib/security/pam_deny.so
account     required      /lib/security/pam_unix.so
account     required      /lib/security/pam_tally.so per_user deny=5 no_magic_root reset
account     sufficient    /lib/security/pam_succeed_if.so uid < 100 quiet
account     required      /lib/security/pam_permit.so
password    requisite     /lib/security/pam_cracklib.so retry=3
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow
password    required      /lib/security/pam_deny.so
session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
Only add the lines in bold and don't modify any other lines.

I'm going to give you some advice here. You should not make any modifications to that file unless you can tell me how you are going to prevent root from getting locked out. The above instructions will lock all users including root out of the system after 5 failed logins. You absolutely must have a way to keep root from being locked out, otherwise the next time sshbrute is run against your system, root WILL BE LOCKED OUT and you will not be able to log on or su to root.

Last edited by Capt_Caveman; 04-04-2005 at 09:31 PM.
 
Old 04-04-2005, 10:12 PM   #12
wardialer
Member
 
Registered: Sep 2004
Distribution: SUSE Linux Pro 9.3
Posts: 375

Original Poster
Rep: Reputation: 30
Well, I'll take your WARNING... I will not do this at all...

Because I use very very very AND VERY STRONG Passwords for both ROOT and USER.... so I dont think there is no need for this. And plus, I am firewalled too...

Thanks dude..
 
Old 04-04-2005, 10:41 PM   #13
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
No problem, I think it's a wise choice. If you have good passwords, then you don't have anything to worry about. If you are still worried, switch to key-based authentication.
 
Old 02-19-2009, 08:25 AM   #14
victvishwa
LQ Newbie
 
Registered: May 2006
Posts: 20

Rep: Reputation: 0
Does this work in Redhat Enterprise Linux 5?

I tried the same , it didnt.

Thanks
Kasi VPS
 
Old 02-19-2009, 08:37 AM   #15
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
Edit the /etc/pam.d/login (for Fedora anyway) file.

If there isn't a /var/log/faillog, you may need to create an empty file before it starts working.
sudo touch /var/log/faillog
 
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to set the password policy and lockout policy bin_shell Linux - Security 4 03-24-2010 03:30 PM
Logging account lockout sbrewer Linux - Security 1 10-22-2005 03:48 PM
Strange account lockout problem thanhvn Linux - Software 2 06-28-2005 02:49 AM
Automatic Account lockout jimrt Linux - Security 3 03-26-2003 08:32 PM
Red Hat Account Lockout mcsestretch Linux - Security 1 03-18-2003 06:37 AM


All times are GMT -5. The time now is 09:02 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration