Authentication problems with pam_tally2 and Ansible
Dylan Martin
dmartin at seattlecentral.edu
Thu Dec 1 16:18:25 UTC 2016
Have you considered the problem of getting locked out of your computers
because some bozo on the Internet is trying a brute force attack? I get
something like 20,000 failed logins for root every day. You might as well
just turn off root login at the ssh config.
I use Fail2ban (there are others) to bloc the source IP of the attacker. I
only block it for 15 minutes or so, but it's enough to slow down the
attacker and blunt the attack. Block the badguy, not yourself or your
users. :-)
Good Luck!
-Dylan
On Dec 1, 2016 12:36 AM, "Marko Asplund" <marko.asplund at gmail.com> wrote:
> The explanation seems to be that pam_tally2 records a failed login when
> login command is started, even before a password is entered. Normally, the
> failed logins counter is reset when the user enters the correct password.
>
> For login this works correctly when the following line is added in pam
> config (common-auth):
>
> auth required pam_tally2.so file=/var/log/tallylog deny=5
> even_deny_root unlock_time=1200 serialize
>
> However, when using sudo, the counter only gets reset when the following
> line is added to pam configuration (common-account):
>
> account required pam_tally2.so
>
> Why is the behaviour different for login and sudo?
> Is this a bug?
>
> I think this is a bit confusing and it might be good to explain it in more
> detail on the man page (and the examples section).
>
> marko
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20161201/7c41622f/attachment.htm>
More information about the Pam-list
mailing list