[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: ftp/sftp user account lockout threshold

Johan Booysen wrote:

Firstly, something I don't quite understand is where on that page the
author says:

"The no_magic_root option ensures that accounts with a UID of 0 are
tallied. You can change this option to magic_root to reverse this

Does this mean that the root account will potentially be locked out?

No. It simply allows me to keep an eye on failed su's to root the way I keep track of other users failed attempts to log in.

Surely not, but I don't understand what the no_magic_root/magic_root
would then do.

Also, the author says:

The last option, per_user, allows you to exclude accounts from locking
if the accounts have a maximum login failure set explicitly. This
exclusion of accounts allows you to specify some accounts that won't be
locked and thus prevent them being the target of a potential Denial of
Service attack. I recommend you exclude any accounts whose disablement
will cause availability issues for applications or databases, for
example the user account that runs a database process. Account exclusion
are specified using the faillog command:
# faillog -u mysql -m -1

What are your views on doing this for all service accounts?

I don't worry about it. ssh is the only way into my system remotely, and I only allow a very limited range of IP numbers to even get a login prompt, and those are restricted to only certain valid user accounts.

Thanks again.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]