| Author |
Message |
boomboom999@yahoo.com
*nix forums beginner
Joined: 10 Apr 2006
Posts: 9
|
 Posted: Mon Jul 10, 2006 1:56 pm Post subject:
How to set up an account lockout counter?
|
|
|
Hello,
An easy question for Linux gurus 
How can I set up a counter of incorrect tries for local user accounts
on a Linux box, so that after 3 or 5 tries the account gets temporarily
locked out or suspended?
Any ideas?
Thanks in advance |
|
| Back to top |
|
 |
Unruh
*nix forums Guru
Joined: 22 Mar 2005
Posts: 1166
|
| Posted: Mon Jul 10, 2006 3:58 pm Post subject:
Re: How to set up an account lockout counter?
|
|
|
boomboom999@yahoo.com writes:
| Quote: | Hello,
An easy question for Linux gurus
How can I set up a counter of incorrect tries for local user accounts
on a Linux box, so that after 3 or 5 tries the account gets temporarily
locked out or suspended?
|
BAd idea. This allows anyone to lock out your users from your machines.
(Denial of Service attack). Far better to ensure that your users use good
passwords.
| Quote: | Any ideas?
Thanks in advance |
|
|
| Back to top |
|
|
boomboom999@yahoo.com
*nix forums beginner
Joined: 10 Apr 2006
Posts: 9
|
| Posted: Mon Jul 10, 2006 5:01 pm Post subject:
Re: How to set up an account lockout counter?
|
|
|
Unruh wrote:
| Quote: |
BAd idea. This allows anyone to lock out your users from your machines.
(Denial of Service attack). Far better to ensure that your users use good
passwords.
|
On a system with 100 users and more it is virtually impossible to
insure good passwords. Users still follow some easy-discoverable
patterns. |
|
| Back to top |
|
|
Stachu 'Dozzie' K.
*nix forums Guru Wannabe
Joined: 30 Mar 2005
Posts: 250
|
| Posted: Mon Jul 10, 2006 5:08 pm Post subject:
Re: How to set up an account lockout counter?
|
|
|
On 10.07.2006, boomboom999@yahoo.com <boomboom999@yahoo.com> wrote:
| Quote: |
Unruh wrote:
BAd idea. This allows anyone to lock out your users from your machines.
(Denial of Service attack). Far better to ensure that your users use good
passwords.
On a system with 100 users and more it is virtually impossible to
insure good passwords. Users still follow some easy-discoverable
patterns.
|
But you can at least try to do so. Using pam_cracklib with good
dictionary is a nice idea and can protect you against automated
brute force attacks at no cost at all.
--
Szukasz dobrego shella? mail | http://marcinhlybin.com/shell/
Stanislaw Klekot |
|
| Back to top |
|
|
M. Decker
*nix forums beginner
Joined: 12 Apr 2006
Posts: 4
|
| Posted: Tue Jul 11, 2006 6:45 am Post subject:
Re: How to set up an account lockout counter?
|
|
|
| Quote: | How can I set up a counter of incorrect tries for local user accounts
on a Linux box, so that after 3 or 5 tries the account gets temporarily
locked out or suspended?
|
Take a look at SELinux, RSBAC or GrSecurity... They could provide some
features you need... RSBAC delays every retry... I think SELinux could
provide this feature you need.
Bye
--
Weil es die Lesbarkeit des Textes verschlechtert.
| Quote: | Warum ist TOFU so schlimm?
TOFU
Was ist das groesste Aergernis im Usenet? |
|
|
| Back to top |
|
|
M. Decker
*nix forums beginner
Joined: 12 Apr 2006
Posts: 4
|
| Posted: Tue Jul 11, 2006 6:48 am Post subject:
Re: How to set up an account lockout counter?
|
|
|
| Quote: | BAd idea. This allows anyone to lock out your users from your machines.
(Denial of Service attack). Far better to ensure that your users use good
passwords.
|
He asked for /temporary/ lockout... So I think, it is a good idea to
lock an account for example 15 minutes or so...
I think the mix of both would be a good idea...
--
Weil es die Lesbarkeit des Textes verschlechtert.
| Quote: | Warum ist TOFU so schlimm?
TOFU
Was ist das groesste Aergernis im Usenet? |
|
|
| Back to top |
|
|
Moe Trin
*nix forums Guru
Joined: 20 Feb 2005
Posts: 972
|
| Posted: Tue Jul 11, 2006 8:00 pm Post subject:
Re: How to set up an account lockout counter?
|
|
|
On 10 Jul 2006, in the Usenet newsgroup comp.os.linux.security, in article
<1152550889.505361.174710@p79g2000cwp.googlegroups.com>, boomboom999@yahoo.com
wrote:
| Quote: | Unruh wrote:
Far better to ensure that your users use good passwords.
On a system with 100 users and more it is virtually impossible to
insure good passwords. Users still follow some easy-discoverable
patterns.
|
There have been password programs available for _decades_ that can
enforce password rules. In general, they work on the 'proposed'
password before encryption - and compare this to word lists, usernames,
and look for minimum character counts, mixed case, numbers, and
non-alphanumeric character counts. This capability has been a part of
PAM for years - do a google search for cracklib.
There are a number of password testing programs (also known as password
crackers) that have been available to monitor the encrypted password.
These are slower, as they have to work through the hashing algorithm,
but may be slightly more secure than the password checkers.
It's easy to _create_ good passwords. The problem is convincing the user
that they can remember them. Thus, the little button on some windoze
applications "remember my password". Left to their own devices, the average
user will choose the least secure character string possible, including that
really great one ("" which is to say 'nothing'). Do a search for the
W32/Deloder worm from 2003 (example: CERT Advisory CA-2003-0 , when a
worm went through the windoze community by guessing that the administrator
(root) password would be one of just 87 character strings. The complete
list of those "passwords" was:
--------------------------------------------------------------------------
"" 1234567 a ihavenopass pwd
0 12345678 aaa login qwer
000000 123456789 abc love root
00000000 1234qwer abc123 mypass secret
007 123abc abcd mypass123 server
1 123asd admin mypc sex
110 123qwe admin123 mypc123 super
111 2002 administrator oracle sybase
111111 2003 alpha owner temp
11111111 2600 asdf pass temp123
12 54321 computer pass test
121212 654321 database passwd test123
123 88888888 enable password win
123123 Admin foobar pat xp
1234 Internet god patrick xxx
12345 Login godblessyou pc yxcv
123456 Password home pw123 zxcv
pw xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
--------------------------------------------------------------------------
Do you see your password in there?
Strong passwords are a tradeoff between security, and what the users will
tolerate. You may want to think about the banking/credit card industry
where the user frequently has trouble remembering a 4 digit PIN. Invariably
you'll find these numbers written down on sticky notes. A friend who is a
teacher at a local university tried to show his students a simple trick of
choosing the first character of an easily remembered phrase - using the
example "TtL*h1wWur" (Twinkle, twinkle, little star, how I wonder what
you are). What to guess the percentage of students that slavishly copied
that password _unchanged_ as their own?
Old guy |
|
| Back to top |
|
|
Michael Heiming
*nix forums Guru
Joined: 19 Feb 2005
Posts: 1423
|
| Posted: Tue Jul 11, 2006 10:57 pm Post subject:
Re: How to set up an account lockout counter?
|
|
|
In comp.os.linux.security Unruh <unruh-spam@physics.ubc.ca>:
| Quote: | boomboom999@yahoo.com writes:
Hello,
An easy question for Linux gurus
How can I set up a counter of incorrect tries for local user accounts
on a Linux box, so that after 3 or 5 tries the account gets temporarily
locked out or suspended?
|
Pam (pam_tally) can be used to lock an account after
configurable number of failures. Dunno that it could unlock an
account after some time. However, it shouldn't be impossible to
write a few lines checking the logs running from cron every 20
minutes or so and unlocking locked accounts. Don't really think
this is a good idea.
There should be enough documentation in /usr/share/doc/pam* on
your system to get you going.
| Quote: | BAd idea. This allows anyone to lock out your users from your machines.
|
Don't think the system is on the internet, if you control the
environment this shouldn't be an issue.
If it is one can still utilize pam_abl to auto-magically blacklist
rogue hosts.
| Quote: | (Denial of Service attack). Far better to ensure that your users use good
passwords.
|
Indeed, you can use pam_cracklib to enforce people using strong
passwords. It shouldn't be used to make things to difficult for
users but to disallow trivial passwords.
--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 138: BNC (brain not connected) |
|
| Back to top |
|
|
softwarecommie@gmail.com
*nix forums beginner
Joined: 13 Jul 2006
Posts: 1
|
| Posted: Thu Jul 13, 2006 7:13 am Post subject:
Re: How to set up an account lockout counter?
|
|
|
Unruh wrote:
| Quote: | boomboom999@yahoo.com writes:
Hello,
An easy question for Linux gurus
How can I set up a counter of incorrect tries for local user accounts
on a Linux box, so that after 3 or 5 tries the account gets temporarily
locked out or suspended?
BAd idea. This allows anyone to lock out your users from your machines.
(Denial of Service attack). Far better to ensure that your users use good
passwords.
|
DoS attacks that occur within a reasonably controlled private network
happen damn near 0% of the time. If this applies to your box, don't
worry about a temporary lockout. If this computer is exposed to the
internet in any way, I would try using pam_abl instead of lockouts.
In fact, you can apply different PAM modules for xdm, ttl, ssh, etc.
This way, you can enforce lockouts for local xdm and ttl (these should,
of course be firewalled to prevent remote access), and auto black
listing for ssh.
Just take a look at your pam.d files (usually in /etc/pam.d). |
|
| Back to top |
|
|
Google
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
Forum index
»
*nix
»
Linux
»
security
