ftp/sftp user account lockout threshold
Johan Booysen
johan at matrix-data.co.uk
Thu Aug 9 08:45:45 UTC 2007
I've finally gotten round to implementing the pam_tally module. It does
seem to do the trick, but I've noticed that using the following line
actually allows for 4 logon attempts:
account required /lib/security/$ISA/pam_tally.so deny=3 no_magic_root
reset
Is that how it's supposed to work?
Thanks!
Johan
-----Original Message-----
From: redhat-list-bounces at redhat.com
[mailto:redhat-list-bounces at redhat.com] On Behalf Of Bill Tangren
Sent: 24 July 2007 18:17
To: General Red Hat Linux discussion list
Subject: Re: ftp/sftp user account lockout threshold
Johan Booysen wrote:
> Bill,
>
> Firstly, something I don't quite understand is where on that page the
> author says:
>
> "The no_magic_root option ensures that accounts with a UID of 0 are
> tallied. You can change this option to magic_root to reverse this
> behaviour."
>
> Does this mean that the root account will potentially be locked out?
No. It simply allows me to keep an eye on failed su's to root the way I
keep track of other users failed attempts to log in.
> Surely not, but I don't understand what the no_magic_root/magic_root
> would then do.
>
> Also, the author says:
>
> The last option, per_user, allows you to exclude accounts from locking
> if the accounts have a maximum login failure set explicitly. This
> exclusion of accounts allows you to specify some accounts that won't
be
> locked and thus prevent them being the target of a potential Denial of
> Service attack. I recommend you exclude any accounts whose disablement
> will cause availability issues for applications or databases, for
> example the user account that runs a database process. Account
exclusion
> are specified using the faillog command:
>
> # faillog -u mysql -m -1
>
> What are your views on doing this for all service accounts?
I don't worry about it. ssh is the only way into my system remotely, and
I only
allow a very limited range of IP numbers to even get a login prompt, and
those
are restricted to only certain valid user accounts.
>
> Thanks again.
>
> Johan
>
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
More information about the redhat-list
mailing list