LinuxQuestions.org
Review your favorite Linux distribution.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page Account lockout threshold
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-26-2006, 12:32 AM   #1
moinpasha
LQ Newbie
 
Registered: Sep 2006
Posts: 14

Rep: Reputation: 0
Account lockout threshold

Hi.I want to prevent brute force attacks(password guessing)
on my system.account lockout threshold should basically specify the number of invalid logon attempts (eg:5)and then the account should be locked out.

Is there any method to achieve this?
 
Old 09-26-2006, 05:58 PM   #2
tangle
Senior Member
Contributing Member
 
Registered: Apr 2002
Location: Arbovale, WV
Distribution: Slackware
Posts: 1,761

Rep: Reputation: 78
Are you talking about ssh or the local console?
 
Old 09-26-2006, 06:31 PM   #3
Micro420
Senior Member
 
Registered: Aug 2003
Location: Berkeley, CA
Distribution: Mac OS X Leopard 10.6.2, Windows 2003 Server/Vista/7/XP/2000/NT/98, Ubuntux64, CentOS4.8/5.4
Posts: 2,986

Rep: Reputation: 45
How do you do this in SSH?
 
Old 09-26-2006, 06:36 PM   #4
tangle
Senior Member
Contributing Member
 
Registered: Apr 2002
Location: Arbovale, WV
Distribution: Slackware
Posts: 1,761

Rep: Reputation: 78
Quote:
Originally Posted by Micro420
How do you do this in SSH?
There is an entry in your /etc/ssh/sshd_config.
 
Old 09-26-2006, 09:37 PM   #5
pasupuleti
LQ Newbie
 
Registered: Sep 2006
Posts: 24

Rep: Reputation: 15
I want to do this in the local console.
 
Old 09-26-2006, 09:54 PM   #6
tangle
Senior Member
Contributing Member
 
Registered: Apr 2002
Location: Arbovale, WV
Distribution: Slackware
Posts: 1,761

Rep: Reputation: 78
I think the "Max number of login retries if password is bad" in the login.defs file is what you are looking for.

http://www.linuxlots.com/~dunne//lw....passwords.html
http://weblog.cs.uiowa.edu/22C178s98/etc/login.defs
 
Old 09-26-2006, 11:40 PM   #7
moinpasha
LQ Newbie
 
Registered: Sep 2006
Posts: 14

Original Poster
Rep: Reputation: 0
i donot have anything that says "Max number of login retries if password is bad" in the login.defs file of /etc.

i was also told to do this:
___________________________


Add the following two lines underlined to the /etc/pam.d/system-auth file as shown below:

auth required /lib/security/pam_env.so
auth required /lib/security/pam_tally.so
____________________________________________________ onerr=fail no_magic_root
___________________________
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
account required /lib/security/pam_tally.so
____________________________________________________ per_user deny=5 no_magic_root reset
____________________________________
account sufficient /lib/security/pam_succeed_if.so uid < 100 quiet
account required /lib/security/pam_permit.so
password requisite /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so

But at the beginning of /etc/pam.d/system-auth it is mentioned that 'user changes will be destroyed the next time the file is run'.

so if i add my own text to this file,its not getting accepted.

what do i do now?
 
Old 09-27-2006, 02:07 AM   #8
filex
Member
 
Registered: Sep 2004
Posts: 56

Rep: Reputation: 15
Again, please check denyhosts
 
Old 09-27-2006, 02:31 AM   #9
moinpasha
LQ Newbie
 
Registered: Sep 2006
Posts: 14

Original Poster
Rep: Reputation: 0
Can i get a more detailed explanation plz.what is it that you want me to check in hosts.deny.when i opened the file,i found nothing there.

sorry to say this but i feel my mail was not read completely.when we don't explain the problem in detail,u complain.i had not just one but two issues there.
 
Old 09-28-2006, 05:48 AM   #10
moinpasha
LQ Newbie
 
Registered: Sep 2006
Posts: 14

Original Poster
Rep: Reputation: 0
Guys my question is still unanswered.will i be getting any help here???

i am using a Fedora core release 3(Heidelberg)

kernel 2.6.9-1.667 on an i686.
 
Old 09-28-2006, 07:27 AM   #11
tangle
Senior Member
Contributing Member
 
Registered: Apr 2002
Location: Arbovale, WV
Distribution: Slackware
Posts: 1,761

Rep: Reputation: 78
Quote:
Originally Posted by moinpasha
i am using a Fedora core release 3(Heidelberg)
Fedora 3 is old, I would upgrade.

I am running Slackware 10.2. There are entries for LOGIN_RETRIES (Max number of login retries if password is bad) /etc/login.defs. I am willing to bet it is in yours too.

I did a google search and came up with this post in this forum. This guy is using RH 9 and has those entries.
http://www.linuxquestions.org/questi...d.php?t=450146

Since Fedora uses PAM, you might want to google for "set max login retries,PAM".

Or you might want to read the man page for login.
Code:
User Commands                                            login(1)

           SLEEPTIME
                 If present, sets the number of seconds  to  wait
                 before  the  login failure message is printed to
                 the screen. This is for any login failure  other
                 than   PAM_ABORT.   Another   login  attempt  is
                 allowed, providing RETRIES has not been  reached
                 or  the  PAM framework is returned PAM_MAXTRIES.
                 Default is 4 seconds. Minimum is 0 seconds. Max-
                 imum is 5 seconds.

           RETRIES
                 Sets the number of retries for logging  in  (see
                 pam(3PAM)). The default is 5.

           SYSLOG_FAILED_LOGINS
                 Used to determine how many failed login attempts
                 will  be  allowed  by the system before a failed
                 login message is logged,  using  the  syslog(3C)
                 LOG_NOTICE  facility.  For example, if the vari-
                 able is set to 0,  login  will  log  all  failed
                 login attempt
Quote:
Originally Posted by moinpasha
Guys my question is still unanswered.will i be getting any help here???
Usually when someone does not take the time too google and then get pushy, I say screw then and ignor the thread. Just in case you have not noticed. Non of us get paid here. You do not have to pay to post threads here. So, you should be more respectful when posting here. Strait up, no one here owes you anything. Especially, doing your google research.
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Account Lockout Policy in Linux? wardialer Linux - Security 15 02-19-2009 09:38 AM
Logging account lockout sbrewer Linux - Security 1 10-22-2005 03:48 PM
Strange account lockout problem thanhvn Linux - Software 2 06-28-2005 02:49 AM
Automatic Account lockout jimrt Linux - Security 3 03-26-2003 08:32 PM
Red Hat Account Lockout mcsestretch Linux - Security 1 03-18-2003 06:37 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:31 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration