Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
On my machines I have pam_tally2 module that will lock account after 3 consecutive failed logon attempts. I would like the account to be automatically unlocked after 10 minutes instead of using 'pam_tally2 -u user -r'.
I would like to find out if there is any security risk in doing that provided that servers have to have the highest security standards. Would you be able to point me into right direction?
PAM requires strong password so dictionary attack doesn't seem to be an issue, but I don't know for sure.
If you first implement a policy by locking an account after 3 consecutive failed logon attempts then doesn't requesting automagical unlocking completely subvert that same policy?..
If you first implement a policy by locking an account after 3 consecutive failed logon attempts then doesn't requesting automagical unlocking completely subvert that same policy?..
Not really. The account isn't automatically unlocked 10 minutes after it gets locked. It would be unlocked 10 minutes after the last login attempt after it was locked. So, if someone keeps trying to access the account, even with the correct password, the unlock timer keeps resetting, and the account won't unlock until 10 minutes after login attempts stop.
On my machines I have pam_tally2 module that will lock account after 3 consecutive failed logon attempts. I would like the account to be automatically unlocked after 10 minutes instead of using 'pam_tally2 -u user -r'.
I would like to find out if there is any security risk in doing that provided that servers have to have the highest security standards. Would you be able to point me into right direction?
PAM requires strong password so dictionary attack doesn't seem to be an issue, but I don't know for sure.
Would be grateful for any advice.
Cheers!
There shouldn't be any additional risk as long as you set the silent option as well.
Since the unlock time is based on the last login attempt after the lock, if someone keeps trying to access the account, the account will remain locked until 10 minutes after the attempts stop. A system admin might just unlock the account without checking if someone is currently trying to break in.
Okay, how about 10 min. period? From user perspective it should be the shortest period. From perspective of attacker is should be the longest. How can I justify 10 min. but not for example 5 min.? or is the difference so marginal that 5 min. is still ok?
I've generally seen anywhere from 5 minutes to 60 minutes, with 10 minutes seeming to be the most common, which I suspect is because it seems to be used in a lot of examples. Often, the unlock time was dictated by corporate policies, so we didn't really have any choice.
In my experience, as long as the users' expectations are set correctly, they adjust ok to whatever time you use.
I would like to find out if there is any security risk in doing that provided that servers have to have the highest security standards.
If locking is a mechanism to deny tampering then automatic unlocking does pose a risk because you simply re-enable the interface. Especially worrying if policy documents may say "highest security standards" and "strong password" but those aren't enforced and audited against, services with weak auth methods are still accessible or users (admins are users too) find ways to subvert or ignore things, etc, etc. I'd confine automatic unlocking to situations where additional measures are already in place like private lans and ensure logins do not give access to services and data you'd have problems explaining once exfiltrated. And indeed, if this is a company or institutional setting, then company policies / compliance regulations should dictate what's allowed and what not: none of the systems I'm responsible for do, or will ever, allow any such automatic unlocking.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.