| View previous topic :: View next topic |
| Author |
Message |
XenoTerraCide
Veteran
Joined: 18 Jan 2004
Posts: 1418
Location: MI, USA
|
 Posted: Tue Aug 29, 2006 7:08 pm Post subject: maximum failed login on vt doesn't actually prevent logins |
 |
|
whenever I attempt to login 3 times (all failed) I get a message saying maximum attempts reached. however say on the fourth time I get my password correct I can login. this seems like a security issue to me. how do I make it have a 30 minute timeout before that user can attempt to login again or something similar.
_________________
I don't hang out here anymore, try asking on http://unix.stackexchange.com/ if you want my help. |
|
| Back to top |
|
 |
limn
l33t
Joined: 13 May 2005
Posts: 997
|
| Posted: Thu Aug 31, 2006 10:02 pm Post subject: |
|
|
| If you use PAM, have a look at pam_tally. Here is a page with some configuration examples. |
|
| Back to top |
|
|
XenoTerraCide
Veteran
Joined: 18 Jan 2004
Posts: 1418
Location: MI, USA
|
| Posted: Fri Sep 01, 2006 6:52 pm Post subject: |
|
|
thx will look at that. pam is the default correct?
_________________
I don't hang out here anymore, try asking on http://unix.stackexchange.com/ if you want my help. |
|
| Back to top |
|
|
limn
l33t
Joined: 13 May 2005
Posts: 997
|
| Posted: Fri Sep 01, 2006 8:30 pm Post subject: |
|
|
Yes.
For the 30 minute part, you could set a cron job to reset the tally every 30 minutes.
Keep in mind that once the tally is reached, attempts with the correct password will also fail, though the tally will not be incremented. Attempts are still permitted, but the user will not be able to connect - until the tally is reset. |
|
| Back to top |
|
|
XenoTerraCide
Veteran
Joined: 18 Jan 2004
Posts: 1418
Location: MI, USA
|
| Posted: Fri Sep 01, 2006 8:35 pm Post subject: |
|
|
yeah I figure that... but it seems like a security issue to just allow repeated attempts. especially when this was the root account although in this situation it was legit. umm... does this article cover maybe how to increase the number of allowed attempts? or does this website. I glanced at it but am going to install 2006.1 later this evening so figure I'll wait till then anyway.
_________________
I don't hang out here anymore, try asking on http://unix.stackexchange.com/ if you want my help. |
|
| Back to top |
|
|
limn
l33t
Joined: 13 May 2005
Posts: 997
|
| Posted: Fri Sep 01, 2006 9:41 pm Post subject: |
|
|
Yes. deny=N
Also have a look at
/usr/share/doc/pam-0.78-r[35]/modules/README.pam_tally.gz |
|
| Back to top |
|
|
beu
Retired Dev
Joined: 03 Mar 2004
Posts: 22
Location: London, UK
|
| Posted: Sat Sep 02, 2006 9:21 am Post subject: |
|
|
| This is only a security issue is you use sh*tty passwords... |
|
| Back to top |
|
|
XenoTerraCide
Veteran
Joined: 18 Jan 2004
Posts: 1418
Location: MI, USA
|
| Posted: Sat Sep 02, 2006 6:56 pm Post subject: |
|
|
heh... true... to some extent although a login delay would make security stronger against a computer attempting to login. although the livecd would not let me create a 25+ character passwd using graphical interface. 25+ characters? that would appear random to a dictionary attack... they aren't to me. using upper, lower, numbers, and symbols... is that a strong password?
_________________
I don't hang out here anymore, try asking on http://unix.stackexchange.com/ if you want my help. |
|
| Back to top |
|
|
XenoTerraCide
Veteran
Joined: 18 Jan 2004
Posts: 1418
Location: MI, USA
|
| Posted: Sat Sep 16, 2006 3:03 am Post subject: |
|
|
Gentoo Security Handbook Chapter 7 Pam
security handbook has lots of nice tips. some I think should be default... like the syslog-ng configuration. I'm 90% sure what I asked is covered in here though too. I'm going through it now.
_________________
I don't hang out here anymore, try asking on http://unix.stackexchange.com/ if you want my help. |
|
| Back to top |
|
|
|
Networking & Security
