Bill, Thanks very much for your reply. I've also come across this explanation on the Internet: http://searchenterpriselinux.techtarget.com/tip/0,289483,sid39_gci121357 0,00.html Firstly, something I don't quite understand is where on that page the author says: "The no_magic_root option ensures that accounts with a UID of 0 are tallied. You can change this option to magic_root to reverse this behaviour." Does this mean that the root account will potentially be locked out? Surely not, but I don't understand what the no_magic_root/magic_root would then do. Also, the author says: The last option, per_user, allows you to exclude accounts from locking if the accounts have a maximum login failure set explicitly. This exclusion of accounts allows you to specify some accounts that won't be locked and thus prevent them being the target of a potential Denial of Service attack. I recommend you exclude any accounts whose disablement will cause availability issues for applications or databases, for example the user account that runs a database process. Account exclusion are specified using the faillog command: # faillog -u mysql -m -1 What are your views on doing this for all service accounts? Thanks again. Johan -----Original Message----- From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Bill Tangren Sent: 24 July 2007 15:26 To: General Red Hat Linux discussion list Subject: Re: ftp/sftp user account lockout threshold Johan Booysen wrote: > Hi, > > Thanks for your reply. > > I find using pam modules a bit confusing at the moment. Does anyone > know of a good example on how to use pam_tally in this way? > > Thanks. > > Johan > Add these lines to /etc/pam.d/system-auth auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root account required /lib/security/$ISA/pam_tally.so deny=3 no_magic_root reset Next, make a faillog: # touch /var/log/faillog Also, make sure /etc/pam.d/xscreensaver does not call system-auth, or you will not be able to unlock your screensaver. This is because xscreensaver doesn't have the rights to write to the faillog. I copied the contents of system-auth and put it in xscreensaver, and then I removed the pam_tally lines. Overkill probably, but it works for me. > -----Original Message----- > From: redhat-list-bounces@xxxxxxxxxx > [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Bill Tangren > Sent: 23 July 2007 16:09 > To: General Red Hat Linux discussion list > Subject: Re: ftp/sftp user account lockout threshold > > Johan Booysen wrote: >> Dear all, >> >> Does anyone know if it's possible to set up a vsftpd and/or sftp >> server so that (for example) after 3 unsuccessful logon attempts, a >> user's account is locked out or disabled? >> >> I've done a bit of quick googling on this issue, but have come up >> empty so far. >> >> Thanks very much. >> >> Johan >> > > pam can use pam_tally to do this. > -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
