I've finally gotten round to implementing the pam_tally module. It does seem to do the trick, but I've noticed that using the following line actually allows for 4 logon attempts: account required /lib/security/$ISA/pam_tally.so deny=3 no_magic_root reset Is that how it's supposed to work? Thanks! Johan -----Original Message----- From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Bill Tangren Sent: 24 July 2007 18:17 To: General Red Hat Linux discussion list Subject: Re: ftp/sftp user account lockout threshold Johan Booysen wrote: > Bill, > > Firstly, something I don't quite understand is where on that page the > author says: > > "The no_magic_root option ensures that accounts with a UID of 0 are > tallied. You can change this option to magic_root to reverse this > behaviour." > > Does this mean that the root account will potentially be locked out? No. It simply allows me to keep an eye on failed su's to root the way I keep track of other users failed attempts to log in. > Surely not, but I don't understand what the no_magic_root/magic_root > would then do. > > Also, the author says: > > The last option, per_user, allows you to exclude accounts from locking > if the accounts have a maximum login failure set explicitly. This > exclusion of accounts allows you to specify some accounts that won't be > locked and thus prevent them being the target of a potential Denial of > Service attack. I recommend you exclude any accounts whose disablement > will cause availability issues for applications or databases, for > example the user account that runs a database process. Account exclusion > are specified using the faillog command: > > # faillog -u mysql -m -1 > > What are your views on doing this for all service accounts? I don't worry about it. ssh is the only way into my system remotely, and I only allow a very limited range of IP numbers to even get a login prompt, and those are restricted to only certain valid user accounts. > > Thanks again. > > Johan > -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
