ftp/sftp user account lockout threshold
Johan Booysen
johan at matrix-data.co.uk
Tue Jul 24 15:20:12 UTC 2007
Bill,
Thanks very much for your reply.
I've also come across this explanation on the Internet:
http://searchenterpriselinux.techtarget.com/tip/0,289483,sid39_gci121357
0,00.html
Firstly, something I don't quite understand is where on that page the
author says:
"The no_magic_root option ensures that accounts with a UID of 0 are
tallied. You can change this option to magic_root to reverse this
behaviour."
Does this mean that the root account will potentially be locked out?
Surely not, but I don't understand what the no_magic_root/magic_root
would then do.
Also, the author says:
The last option, per_user, allows you to exclude accounts from locking
if the accounts have a maximum login failure set explicitly. This
exclusion of accounts allows you to specify some accounts that won't be
locked and thus prevent them being the target of a potential Denial of
Service attack. I recommend you exclude any accounts whose disablement
will cause availability issues for applications or databases, for
example the user account that runs a database process. Account exclusion
are specified using the faillog command:
# faillog -u mysql -m -1
What are your views on doing this for all service accounts?
Thanks again.
Johan
-----Original Message-----
From: redhat-list-bounces at redhat.com
[mailto:redhat-list-bounces at redhat.com] On Behalf Of Bill Tangren
Sent: 24 July 2007 15:26
To: General Red Hat Linux discussion list
Subject: Re: ftp/sftp user account lockout threshold
Johan Booysen wrote:
> Hi,
>
> Thanks for your reply.
>
> I find using pam modules a bit confusing at the moment. Does anyone
> know of a good example on how to use pam_tally in this way?
>
> Thanks.
>
> Johan
>
Add these lines to /etc/pam.d/system-auth
auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
account required /lib/security/$ISA/pam_tally.so deny=3 no_magic_root
reset
Next, make a faillog:
# touch /var/log/faillog
Also, make sure /etc/pam.d/xscreensaver does not call system-auth, or
you will not be able to unlock your screensaver. This is because
xscreensaver doesn't have the rights to write to the faillog. I copied
the contents of system-auth and put it in xscreensaver, and then I
removed the pam_tally lines. Overkill probably, but it works for me.
> -----Original Message-----
> From: redhat-list-bounces at redhat.com
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of Bill Tangren
> Sent: 23 July 2007 16:09
> To: General Red Hat Linux discussion list
> Subject: Re: ftp/sftp user account lockout threshold
>
> Johan Booysen wrote:
>> Dear all,
>>
>> Does anyone know if it's possible to set up a vsftpd and/or sftp
>> server so that (for example) after 3 unsuccessful logon attempts, a
>> user's account is locked out or disabled?
>>
>> I've done a bit of quick googling on this issue, but have come up
>> empty so far.
>>
>> Thanks very much.
>>
>> Johan
>>
>
> pam can use pam_tally to do this.
>
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
More information about the redhat-list
mailing list