ftp/sftp user account lockout threshold

Tue Jul 24 15:20:12 UTC 2007

Bill,

Thanks very much for your reply.

I've also come across this explanation on the Internet:
http://searchenterpriselinux.techtarget.com/tip/0,289483,sid39_gci121357
0,00.html

Firstly, something I don't quite understand is where on that page the
author says:

"The no_magic_root option ensures that accounts with a UID of 0 are
tallied. You can change this option to magic_root to reverse this
behaviour."

Does this mean that the root account will potentially be locked out?
Surely not, but I don't understand what the no_magic_root/magic_root
would then do.

Also, the author says:

The last option, per_user, allows you to exclude accounts from locking
if the accounts have a maximum login failure set explicitly. This
exclusion of accounts allows you to specify some accounts that won't be
locked and thus prevent them being the target of a potential Denial of
Service attack. I recommend you exclude any accounts whose disablement
will cause availability issues for applications or databases, for
example the user account that runs a database process. Account exclusion
are specified using the faillog command: 

# faillog -u mysql -m -1

What are your views on doing this for all service accounts?

Thanks again.

Johan

-----Original Message-----
From: redhat-list-bounces at redhat.com
[mailto:redhat-list-bounces at redhat.com] On Behalf Of Bill Tangren
Sent: 24 July 2007 15:26
To: General Red Hat Linux discussion list
Subject: Re: ftp/sftp user account lockout threshold

Johan Booysen wrote:
> Hi,
> 
> Thanks for your reply.
> 
> I find using pam modules a bit confusing at the moment.  Does anyone 
> know of a good example on how to use pam_tally in this way?
> 
> Thanks.
> 
> Johan
> 

Add these lines to /etc/pam.d/system-auth

auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root

account required /lib/security/$ISA/pam_tally.so deny=3 no_magic_root
reset

Next, make a faillog:

# touch /var/log/faillog

Also, make sure /etc/pam.d/xscreensaver does not call system-auth, or
you will not be able to unlock your screensaver. This is because
xscreensaver doesn't have the rights to write to the faillog. I copied
the contents of system-auth and put it in xscreensaver, and then I
removed the pam_tally lines. Overkill probably, but it works for me.

> -----Original Message-----
> From: redhat-list-bounces at redhat.com
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of Bill Tangren
> Sent: 23 July 2007 16:09
> To: General Red Hat Linux discussion list
> Subject: Re: ftp/sftp user account lockout threshold
> 
> Johan Booysen wrote:
>> Dear all,
>>
>> Does anyone know if it's possible to set up a vsftpd and/or sftp 
>> server so that (for example) after 3 unsuccessful logon attempts, a 
>> user's account is locked out or disabled?
>>
>> I've done a bit of quick googling on this issue, but have come up 
>> empty so far.
>>
>> Thanks very much.
>>
>> Johan
>>
> 
> pam can use pam_tally to do this.
> 

-- 

redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list