I’m attempting to configure Debian 4.0 to lock user
accounts after 3 failed login attempts.


I’ve added:


accountÂ*Â*Â*Â*Â*Â* requiredÂ*Â*Â*Â*Â*Â*Â* pam_tally.so deny=3


as the first non-commented line in /etc/pam.d/common-account
and


authÂ*Â*Â*Â* requiredÂ*Â*Â*Â*Â*Â* Â*pam_tally.so per_user magic_root
>


as the first non-commented line in /etc/pam.d/common-auth.Â*
When I run faillog I get:


LoginÂ*Â*Â*Â*Â*Â* Failures Maximum LatestÂ*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* On


usernameÂ*Â*Â*Â*Â*Â* 16Â*Â*Â*Â*Â*Â*Â* 3Â*Â* 10/08/10 11:03:43 -0400Â*
192.168.0.1


but when I try to login as username via ssh or su -, I am
still able to login if I give a valid password.Â* Is there any good resource for
configuring pam_tally and faillog other than their man pages?


Â*


Thanks,


Max Brustkern

Brustkern, Maximillian wrote:
> I'm attempting to configure Debian 4.0 to lock user accounts after 3
> failed login attempts.

I know you don't think so (yet) but that is a very bad idea. It
enables a denial of service attack. A valid user can be locked out by
an attacker. That is bad.

If you want to rate limit attacks then look at the fail2ban package.

apt-cache show fail2ban
Description: bans IPs that cause multiple authentication errors

Also, I assume there is a reason but if you are still using Debian 4.0
Etch then you really should worry about security upgrades. Consider
migrating to Stable Lenny with security support.

Bob

>>
I know you don't think so (yet) but that is a very bad idea.Â* It


>>
enables a denial of service attack.Â* A valid user can be locked out by


>>
an attacker.Â* That is bad.


Â*


You’re
absolutely right; unfortunately, I’m attempting to bring old systems in
line with unbending corporate security policy until such time as we can upgrade
them to Lenny, or at this point more likely Squeeze.Â* Do you know of any
mirrors that would still have fail2ban for Etch?


Â*


Thanks,


Max