FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 10-11-2010, 01:50 PM
"Brustkern, Maximillian"
 
Default Problems setting up pam_tally / faillog

I’m attempting to configure Debian 4.0 to lock user
accounts after 3 failed login attempts.


I’ve added:


account****** required******* pam_tally.so deny=3


as the first non-commented line in /etc/pam.d/common-account
and


auth**** required****** *pam_tally.so per_user magic_root
>


as the first non-commented line in /etc/pam.d/common-auth.*
When I run faillog I get:


Login****** Failures Maximum Latest****************** On


username****** 16******* 3** 10/08/10 11:03:43 -0400*
192.168.0.1


but when I try to login as username via ssh or su -, I am
still able to login if I give a valid password.* Is there any good resource for
configuring pam_tally and faillog other than their man pages?


*


Thanks,


Max Brustkern
 
Old 10-11-2010, 10:23 PM
Bob Proulx
 
Default Problems setting up pam_tally / faillog

Brustkern, Maximillian wrote:
> I'm attempting to configure Debian 4.0 to lock user accounts after 3
> failed login attempts.

I know you don't think so (yet) but that is a very bad idea. It
enables a denial of service attack. A valid user can be locked out by
an attacker. That is bad.

If you want to rate limit attacks then look at the fail2ban package.

apt-cache show fail2ban
Description: bans IPs that cause multiple authentication errors

Also, I assume there is a reason but if you are still using Debian 4.0
Etch then you really should worry about security upgrades. Consider
migrating to Stable Lenny with security support.

Bob
 
Old 10-12-2010, 02:13 PM
"Brustkern, Maximillian"
 
Default Problems setting up pam_tally / faillog

>>
I know you don't think so (yet) but that is a very bad idea.* It


>>
enables a denial of service attack.* A valid user can be locked out by


>>
an attacker.* That is bad.


*


You’re
absolutely right; unfortunately, I’m attempting to bring old systems in
line with unbending corporate security policy until such time as we can upgrade
them to Lenny, or at this point more likely Squeeze.* Do you know of any
mirrors that would still have fail2ban for Etch?


*


Thanks,


Max
 

Thread Tools




All times are GMT. The time now is 10:58 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org