ftp/sftp user account lockout threshold
Bill Tangren
bjt at usno.navy.mil
Tue Jul 24 17:17:01 UTC 2007
Johan Booysen wrote:
> Bill,
>
> Firstly, something I don't quite understand is where on that page the
> author says:
>
> "The no_magic_root option ensures that accounts with a UID of 0 are
> tallied. You can change this option to magic_root to reverse this
> behaviour."
>
> Does this mean that the root account will potentially be locked out?
No. It simply allows me to keep an eye on failed su's to root the way I keep
track of other users failed attempts to log in.
> Surely not, but I don't understand what the no_magic_root/magic_root
> would then do.
>
> Also, the author says:
>
> The last option, per_user, allows you to exclude accounts from locking
> if the accounts have a maximum login failure set explicitly. This
> exclusion of accounts allows you to specify some accounts that won't be
> locked and thus prevent them being the target of a potential Denial of
> Service attack. I recommend you exclude any accounts whose disablement
> will cause availability issues for applications or databases, for
> example the user account that runs a database process. Account exclusion
> are specified using the faillog command:
>
> # faillog -u mysql -m -1
>
> What are your views on doing this for all service accounts?
I don't worry about it. ssh is the only way into my system remotely, and I only
allow a very limited range of IP numbers to even get a login prompt, and those
are restricted to only certain valid user accounts.
>
> Thanks again.
>
> Johan
>
More information about the redhat-list
mailing list