ftp/sftp user account lockout threshold

Johan Booysen johan at matrix-data.co.uk
Thu Aug 9 08:45:45 UTC 2007 

I've finally gotten round to implementing the pam_tally module.  It does
seem to do the trick, but I've noticed that using the following line
actually allows for 4 logon attempts:

account required /lib/security/$ISA/pam_tally.so deny=3 no_magic_root
reset

Is that how it's supposed to work?

Thanks!

Johan 

-----Original Message-----
From: redhat-list-bounces at redhat.com
[mailto:redhat-list-bounces at redhat.com] On Behalf Of Bill Tangren
Sent: 24 July 2007 18:17
To: General Red Hat Linux discussion list
Subject: Re: ftp/sftp user account lockout threshold

Johan Booysen wrote:
> Bill,
> 
> Firstly, something I don't quite understand is where on that page the 
> author says:
> 
> "The no_magic_root option ensures that accounts with a UID of 0 are 
> tallied. You can change this option to magic_root to reverse this 
> behaviour."
> 
> Does this mean that the root account will potentially be locked out?


No. It simply allows me to keep an eye on failed su's to root the way I
keep track of other users failed attempts to log in.


> Surely not, but I don't understand what the no_magic_root/magic_root
> would then do.
> 
> Also, the author says:
> 
> The last option, per_user, allows you to exclude accounts from locking
> if the accounts have a maximum login failure set explicitly. This
> exclusion of accounts allows you to specify some accounts that won't
be
> locked and thus prevent them being the target of a potential Denial of
> Service attack. I recommend you exclude any accounts whose disablement
> will cause availability issues for applications or databases, for
> example the user account that runs a database process. Account
exclusion
> are specified using the faillog command: 
> 
> # faillog -u mysql -m -1
> 
> What are your views on doing this for all service accounts?

I don't worry about it. ssh is the only way into my system remotely, and
I only 
allow a very limited range of IP numbers to even get a login prompt, and
those 
are restricted to only certain valid user accounts.

> 
> Thanks again.
> 
> Johan
> 

-- 

redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

More information about the redhat-list mailing list