Account lock after failed login attempts

alfonsosg · 05-25-2010, 04:15 AM

Hello!!

I'm new to these forums and this is my first post.
I'm trying to lock an account after a number of failed login attempts in a RHEL5. This is the relevant configuration in /etc/pam.d/system-auth

auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
# added to limit number of unsuccessful login attempts
auth required pam_tally.so onerr=fail deny=3 lock_time=4

account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
account required pam_tally.so

In the logs I can see how the count of failed logins increase and exceeds my deny option but the account isn't locked

pam_tally(sshd:auth): user user (503) tally 4, deny 3
pam_tally(sshd:auth): user user (503) tally 5, deny 3

Do I need any other option in the PAM file? Is there any other way to lock an account?

thanks.

TB0ne · 05-25-2010, 09:09 AM

Quote:

Originally Posted by alfonsosg

Hello!!

I'm new to these forums and this is my first post.
I'm trying to lock an account after a number of failed login attempts in a RHEL5. This is the relevant configuration in /etc/pam.d/system-auth

auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
# added to limit number of unsuccessful login attempts
auth required pam_tally.so onerr=fail deny=3 lock_time=4

account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
account required pam_tally.so

In the logs I can see how the count of failed logins increase and exceeds my deny option but the account isn't locked

pam_tally(sshd:auth): user user (503) tally 4, deny 3
pam_tally(sshd:auth): user user (503) tally 5, deny 3

Do I need any other option in the PAM file? Is there any other way to lock an account?
thanks.

Looks like you're missing something. These links:
http://kbase.redhat.com/faq/docs/DOC-4304
http://www.puschitz.com/SecuringLinux.shtml

might help. Your best bet for RedHat Enterprise 5 answers, would be RedHat support. You're paying for access with your RedHat subscription.

alfonsosg · 05-26-2010, 12:35 AM

Thanks!!

I will try those links and the RedHat support.

tanveer · 06-08-2010, 02:27 PM

Hi,
This works for me.

Code:

# vi /etc/pam.d/system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
# The below line is used to lock an account if user failed to authenticate 5 times and will be locked for 60 secs.
auth        required      pam_tally.so onerr=fail deny=5 unlock_time=60
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
# The below line is required for account lockout due to failed login attempt
account     required      pam_tally.so reset
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

tiemen3r · 06-17-2010, 06:28 PM

I think fail2ban will make your life much easier. It does exactly what you are trying to do: ban an account (or ip) after a set number of failed logins. HTH

cj_cheema · 08-03-2010, 07:24 AM

Hi Thanks Tanveer your solution also works for me thanks a ton..

Regards
Charanjit