block user account after failed password | Unix Linux Forums | UNIX for Dummies Questions & Answers

  Go Back    


UNIX for Dummies Questions & Answers If you're not sure where to post a UNIX or Linux question, post it here. All UNIX and Linux newbies welcome !!

block user account after failed password

UNIX for Dummies Questions & Answers


Closed Thread    
 
Thread Tools Search this Thread Display Modes
    #1  
Old 06-30-2010
kopper kopper is offline
Registered User
 
Join Date: Jun 2010
Last Activity: 30 November 2011, 1:51 PM EST
Posts: 39
Thanks: 14
Thanked 2 Times in 2 Posts
block user account after failed password

hi guys

I have Centos 5.4

The idea is lock the user account for 3 minutes after he has entered his password incorrectly 3 times.

I've modified /etc/pam.d/system-auth

Code:
auth        required      pam_tally.so onerr=fail per_user deny=3
account     required      pam_tally.so reset

besides the code above I used these 2 commands to get things working

Set lock out at 3 failed login attempts:
faillog -m 3
Exclude root from this lockout mechanism:
faillog -u root -m 0


as you see I have not defined the lock_time=180 yet since no matter where I put it up there it won't work

where should it be? in order that after 3 or more failed attempts and after wait 3 minutes user can log to the system since for instance he now remember his correct password

Now I can unblock his account manually by faillog -r -u username but I want to avoid that admin task

thanks a lot
Sponsored Links
    #2  
Old 06-30-2010
pludi's Avatar
pludi pludi is offline Forum Advisor  
Cat herder
 
Join Date: Dec 2008
Last Activity: 28 March 2014, 8:35 AM EDT
Location: Vienna, Austria, Earth
Posts: 5,522
Thanks: 38
Thanked 335 Times in 308 Posts
From the man page of pam_tally
Quote:
lock_time=n
Always deny for n seconds after failed attempt.

unlock_time=n
Allow access after n seconds after failed attempt. If this option is used the user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts. Otherwise the account is locked until the lock is removed by a manual intervention of the system administrator.
In my interpretation (tho I'm not sure) this means that lock_time will block access for a certain time after each failed attempt, which would be useful to slow down a brute-force attack. unlock_time, however, sets the time until an account is automatically unlocked after the maximum number of tries.
The Following User Says Thank You to pludi For This Useful Post:
kopper (06-30-2010)
Sponsored Links
    #3  
Old 06-30-2010
jim mcnamara jim mcnamara is offline Forum Staff  
...@...
 
Join Date: Feb 2004
Last Activity: 26 November 2014, 10:14 PM EST
Location: NM
Posts: 10,282
Thanks: 288
Thanked 815 Times in 757 Posts
One side note -

You do not want accounts like oracle, root, or other major resource owners accounts locked on a production system. If you have people hacking accounts on a production system you should consider other approaches - than lockout.
The Following User Says Thank You to jim mcnamara For This Useful Post:
kopper (06-30-2010)
    #4  
Old 06-30-2010
kopper kopper is offline
Registered User
 
Join Date: Jun 2010
Last Activity: 30 November 2011, 1:51 PM EST
Posts: 39
Thanks: 14
Thanked 2 Times in 2 Posts
thanks for the info

the point is


Code:
auth        required      pam_tally.so onerr=fail per_user deny=3 lock_time=180

or 
account     required      pam_tally.so reset lock_time=180

it won't work

no matter where I put lock_time=180 either line what I want does not work

---------- Post updated at 04:07 PM ---------- Previous update was at 04:02 PM ----------

Quote:
Originally Posted by jim mcnamara View Post
One side note -

You do not want accounts like oracle, root, or other major resource owners accounts locked on a production system. If you have people hacking accounts on a production system you should consider other approaches - than lockout.

interesting what you say what other approaches you think I should use or you are using?

thanks
Sponsored Links
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
Passing password when changing the user account raghu.iv85 Shell Programming and Scripting 7 06-28-2010 04:15 AM
Create new user account and password in shell script killuane Shell Programming and Scripting 4 01-20-2010 09:29 AM
password less login to root from a user account pradeepreddy Debian 1 04-21-2009 11:28 AM
Change Account to not lock account if password expires stringzz UNIX for Dummies Questions & Answers 1 04-04-2008 06:31 PM
how can I change user name and password , of account ? umen Solaris 5 12-22-2005 07:10 PM



All times are GMT -4. The time now is 12:16 AM.