LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-28-2015, 11:35 AM   #1
schedar
LQ Newbie
 
Registered: Apr 2015
Location: Poland
Distribution: Centos 7
Posts: 16

Rep: Reputation: Disabled
[RHEL] pam_tally2 automatic unlock


Hello All,

On my machines I have pam_tally2 module that will lock account after 3 consecutive failed logon attempts. I would like the account to be automatically unlocked after 10 minutes instead of using 'pam_tally2 -u user -r'.
I would like to find out if there is any security risk in doing that provided that servers have to have the highest security standards. Would you be able to point me into right direction?

PAM requires strong password so dictionary attack doesn't seem to be an issue, but I don't know for sure.

Would be grateful for any advice.
Cheers!
 
Old 10-29-2015, 02:25 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
If you first implement a policy by locking an account after 3 consecutive failed logon attempts then doesn't requesting automagical unlocking completely subvert that same policy?..
 
Old 10-29-2015, 07:26 AM   #3
sgrlscz
Member
 
Registered: Aug 2008
Posts: 115

Rep: Reputation: 82
Quote:
Originally Posted by unSpawn View Post
If you first implement a policy by locking an account after 3 consecutive failed logon attempts then doesn't requesting automagical unlocking completely subvert that same policy?..
Not really. The account isn't automatically unlocked 10 minutes after it gets locked. It would be unlocked 10 minutes after the last login attempt after it was locked. So, if someone keeps trying to access the account, even with the correct password, the unlock timer keeps resetting, and the account won't unlock until 10 minutes after login attempts stop.
 
Old 10-29-2015, 07:39 AM   #4
sgrlscz
Member
 
Registered: Aug 2008
Posts: 115

Rep: Reputation: 82
Quote:
Originally Posted by schedar View Post
Hello All,

On my machines I have pam_tally2 module that will lock account after 3 consecutive failed logon attempts. I would like the account to be automatically unlocked after 10 minutes instead of using 'pam_tally2 -u user -r'.
I would like to find out if there is any security risk in doing that provided that servers have to have the highest security standards. Would you be able to point me into right direction?

PAM requires strong password so dictionary attack doesn't seem to be an issue, but I don't know for sure.

Would be grateful for any advice.
Cheers!
There shouldn't be any additional risk as long as you set the silent option as well.

Since the unlock time is based on the last login attempt after the lock, if someone keeps trying to access the account, the account will remain locked until 10 minutes after the attempts stop. A system admin might just unlock the account without checking if someone is currently trying to break in.
 
Old 10-29-2015, 03:36 PM   #5
schedar
LQ Newbie
 
Registered: Apr 2015
Location: Poland
Distribution: Centos 7
Posts: 16

Original Poster
Rep: Reputation: Disabled
Okay, how about 10 min. period? From user perspective it should be the shortest period. From perspective of attacker is should be the longest. How can I justify 10 min. but not for example 5 min.? or is the difference so marginal that 5 min. is still ok?
 
Old 10-29-2015, 03:48 PM   #6
ron7000
Member
 
Registered: Nov 2007
Location: CT
Posts: 248

Rep: Reputation: 26
http://www.cyberciti.biz/tips/lock-u...-attempts.html

^^ they say edit the "system-auth" file. For me in SLES it is /etc/pam.d/login.
In mine i put the following line at the beginning of that file.

auth required pam_tally.so onerr=fail deny=3 unlock_time=600


deny=3 locks account after 3 failed attempts, and 600 is 10 minutes
 
Old 10-30-2015, 05:42 AM   #7
sgrlscz
Member
 
Registered: Aug 2008
Posts: 115

Rep: Reputation: 82
I've generally seen anywhere from 5 minutes to 60 minutes, with 10 minutes seeming to be the most common, which I suspect is because it seems to be used in a lot of examples. Often, the unlock time was dictated by corporate policies, so we didn't really have any choice.

In my experience, as long as the users' expectations are set correctly, they adjust ok to whatever time you use.
 
Old 10-31-2015, 08:15 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Quote:
Originally Posted by schedar View Post
I would like to find out if there is any security risk in doing that provided that servers have to have the highest security standards.
If locking is a mechanism to deny tampering then automatic unlocking does pose a risk because you simply re-enable the interface. Especially worrying if policy documents may say "highest security standards" and "strong password" but those aren't enforced and audited against, services with weak auth methods are still accessible or users (admins are users too) find ways to subvert or ignore things, etc, etc. I'd confine automatic unlocking to situations where additional measures are already in place like private lans and ensure logins do not give access to services and data you'd have problems explaining once exfiltrated. And indeed, if this is a company or institutional setting, then company policies / compliance regulations should dictate what's allowed and what not: none of the systems I'm responsible for do, or will ever, allow any such automatic unlocking.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
to unlock Linux rhel 7 screen through remote ssh sriramstorage Linux - Newbie 3 12-17-2014 01:51 AM
RHEL 6.2 Authentication through winbind and AD won't allow unlock of screen. kreckner Red Hat 0 06-14-2013 05:44 PM
RHEL root password automatic change idlehands Linux - Security 15 05-10-2011 09:05 AM
automatic unmounting problem in RHEL 4 bineeshms Linux - Server 1 05-23-2008 01:32 AM
Using RHEL 64bit Not sure how to unlock an account mccartjd Linux - Newbie 2 04-24-2008 06:26 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:08 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration