ftp/sftp user account lockout threshold

Mailing List

Home

Forum Home

Linux - General Red Hat Linux discussion list

Installation - Getting started with Red Hat Linux

Enterprise Linux 3 - Discussion of Red Hat Enterprise Linux 3 (Taroon)

Red Hat Linux 9 - Discussion of Red Hat Linux 9 (Shrike)

Red Hat Linux 7.2 - Discussion of Red Hat Linux 7.2 (Enigma)

Red Hat Linux 7.3 - Discussion of Red Hat Linux 7.3 (Valhalla)

Apache Web Server

Oracle database, Microsoft SQL server ...

Subjects

•	application/x mplayer2 plugin
•	RPM error: db4 error(16) from dbenv >remove: Device or resource busy
•	Command stream end of file while reading
•	X Windows problem (xauth)
•	Upgrading openoffice 1 1 rpm
•	FTP: connection refused
•	FTP: connection refused
•	mount: /dev/cdrom: is not a valid block device
•	Dell Precision 650, RedHat 9, no sound
•	how to trace the cause resulting in the crash of bind server
•	Virus on the list
•	UNINSTALL RPM MYSQL
•	usb pen drives: mounting as a user
•	broadcom network interface
•	make mrproper
•	Couldn 't open PID file /var/run/named/named pid Permission denied
•	sendmail configuration on redhat
•	kernel 2 6 and /dev/sound/mixer not found
•	Promise 378 controller
•	Problem using up2date
•	mrtg step by step howto/configuration for a newbie?
•	Compiling and Installing Kernel 2 6
•	Can 't locate module ppp0, can 't locate module ppp compress 21
•	Lotus Notes under Wine
•	HOW I CAN MAKE BOOTABLE FLOPPY DISKET
•	/etc/security/limits conf question
•	Intel E/1000 driver
•	rpm database corrupt
•	Command stream end of file while reading
•	qla2300 modules

ftp/sftp user account lockout threshold

ftp/sftp user account lockout threshold

2007-08-09 - By Johan Booysen

Back

Reply: 1 2 3 4 5 6 7 8 9 10

I've finally gotten round to implementing the pam_tally module. It does
seem to do the trick, but I've noticed that using the following line
actually allows for 4 logon attempts:

account required /lib/security/$ISA/pam_tally.so deny=3 no_magic_root
reset

Is that how it's supposed to work?

Thanks!

Johan

-- --Original Message-- --
From: redhat-list-bounces@(protected)
[mailto:redhat-list-bounces@(protected)] On Behalf Of Bill Tangren
Sent: 24 July 2007 18:17
To: General Red Hat Linux discussion list
Subject: Re: ftp/sftp user account lockout threshold

Johan Booysen wrote:
> Bill,
>
> Firstly, something I don't quite understand is where on that page the
> author says:
>
> "The no_magic_root option ensures that accounts with a UID of 0 are
> tallied. You can change this option to magic_root to reverse this
> behaviour."
>
> Does this mean that the root account will potentially be locked out?

No. It simply allows me to keep an eye on failed su's to root the way I
keep track of other users failed attempts to log in.

> Surely not, but I don't understand what the no_magic_root/magic_root
> would then do.
>
> Also, the author says:
>
> The last option, per_user, allows you to exclude accounts from locking
> if the accounts have a maximum login failure set explicitly. This
> exclusion of accounts allows you to specify some accounts that won't
be
> locked and thus prevent them being the target of a potential Denial of
> Service attack. I recommend you exclude any accounts whose disablement
> will cause availability issues for applications or databases, for
> example the user account that runs a database process. Account
exclusion
> are specified using the faillog command:
>
> # faillog -u mysql -m -1
>
> What are your views on doing this for all service accounts?

I don't worry about it. ssh is the only way into my system remotely, and
I only
allow a very limited range of IP numbers to even get a login prompt, and
those
are restricted to only certain valid user accounts.

>
> Thanks again.
>
> Johan
>

--

redhat-list mailing list
unsubscribe mailto:redhat-list-request@(protected)?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@(protected)?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list