Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
09-26-2006, 01:32 AM
|
#1
|
LQ Newbie
Registered: Sep 2006
Posts: 14
Rep:
|
Account lockout threshold
Hi.I want to prevent brute force attacks(password guessing)
on my system.account lockout threshold should basically specify the number of invalid logon attempts (eg:5)and then the account should be locked out.
Is there any method to achieve this?
|
|
|
09-26-2006, 06:58 PM
|
#2
|
Senior Member
Registered: Apr 2002
Location: Arbovale, WV
Distribution: Slackware
Posts: 1,761
Rep:
|
Are you talking about ssh or the local console?
|
|
|
09-26-2006, 07:31 PM
|
#3
|
Senior Member
Registered: Aug 2003
Location: Berkeley, CA
Distribution: Mac OS X Leopard 10.6.2, Windows 2003 Server/Vista/7/XP/2000/NT/98, Ubuntux64, CentOS4.8/5.4
Posts: 2,986
Rep:
|
How do you do this in SSH?
|
|
|
09-26-2006, 07:36 PM
|
#4
|
Senior Member
Registered: Apr 2002
Location: Arbovale, WV
Distribution: Slackware
Posts: 1,761
Rep:
|
Quote:
Originally Posted by Micro420
How do you do this in SSH?
|
There is an entry in your /etc/ssh/sshd_config.
|
|
|
09-26-2006, 10:37 PM
|
#5
|
LQ Newbie
Registered: Sep 2006
Posts: 24
Rep:
|
I want to do this in the local console.
|
|
|
09-27-2006, 12:40 AM
|
#7
|
LQ Newbie
Registered: Sep 2006
Posts: 14
Original Poster
Rep:
|
i donot have anything that says "Max number of login retries if password is bad" in the login.defs file of /etc.
i was also told to do this:
___________________________
Add the following two lines underlined to the /etc/pam.d/system-auth file as shown below:
auth required /lib/security/pam_env.so
auth required /lib/security/pam_tally.so
____________________________________________________ onerr=fail no_magic_root
___________________________
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
account required /lib/security/pam_tally.so
____________________________________________________ per_user deny=5 no_magic_root reset
____________________________________
account sufficient /lib/security/pam_succeed_if.so uid < 100 quiet
account required /lib/security/pam_permit.so
password requisite /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
But at the beginning of /etc/pam.d/system-auth it is mentioned that 'user changes will be destroyed the next time the file is run'.
so if i add my own text to this file,its not getting accepted.
what do i do now?
|
|
|
09-27-2006, 03:07 AM
|
#8
|
Member
Registered: Sep 2004
Posts: 56
Rep:
|
Again, please check denyhosts
|
|
|
09-27-2006, 03:31 AM
|
#9
|
LQ Newbie
Registered: Sep 2006
Posts: 14
Original Poster
Rep:
|
Can i get a more detailed explanation plz.what is it that you want me to check in hosts.deny.when i opened the file,i found nothing there.
sorry to say this but i feel my mail was not read completely.when we don't explain the problem in detail,u complain.i had not just one but two issues there.
|
|
|
09-28-2006, 06:48 AM
|
#10
|
LQ Newbie
Registered: Sep 2006
Posts: 14
Original Poster
Rep:
|
Guys my question is still unanswered.will i be getting any help here???
i am using a Fedora core release 3(Heidelberg)
kernel 2.6.9-1.667 on an i686.
|
|
|
09-28-2006, 08:27 AM
|
#11
|
Senior Member
Registered: Apr 2002
Location: Arbovale, WV
Distribution: Slackware
Posts: 1,761
Rep:
|
Quote:
Originally Posted by moinpasha
i am using a Fedora core release 3(Heidelberg)
|
Fedora 3 is old, I would upgrade.
I am running Slackware 10.2. There are entries for LOGIN_RETRIES (Max number of login retries if password is bad) /etc/login.defs. I am willing to bet it is in yours too.
I did a google search and came up with this post in this forum. This guy is using RH 9 and has those entries.
http://www.linuxquestions.org/questi...d.php?t=450146
Since Fedora uses PAM, you might want to google for "set max login retries,PAM".
Or you might want to read the man page for login.
Code:
User Commands login(1)
SLEEPTIME
If present, sets the number of seconds to wait
before the login failure message is printed to
the screen. This is for any login failure other
than PAM_ABORT. Another login attempt is
allowed, providing RETRIES has not been reached
or the PAM framework is returned PAM_MAXTRIES.
Default is 4 seconds. Minimum is 0 seconds. Max-
imum is 5 seconds.
RETRIES
Sets the number of retries for logging in (see
pam(3PAM)). The default is 5.
SYSLOG_FAILED_LOGINS
Used to determine how many failed login attempts
will be allowed by the system before a failed
login message is logged, using the syslog(3C)
LOG_NOTICE facility. For example, if the vari-
able is set to 0, login will log all failed
login attempt
Quote:
Originally Posted by moinpasha
Guys my question is still unanswered.will i be getting any help here???
|
Usually when someone does not take the time too google and then get pushy, I say screw then and ignor the thread. Just in case you have not noticed. Non of us get paid here. You do not have to pay to post threads here. So, you should be more respectful when posting here. Strait up, no one here owes you anything. Especially, doing your google research.
|
|
|
All times are GMT -5. The time now is 07:34 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|