I?m looking to configure a centos 7 server to lock out anaccount after 3 login failures. I?ve followed this ? https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-Security_Guide-Securing_Your_Network.html#sect-Security_Guide-Workstation_Security-Administrative_Controls ? Section2.1.9.5 Account Locking ? And even rebooted the serverbut it doesn?t lock my test account out. login as: test test at X?s password: Access denied test at X's password: Access denied test at X's password: Access denied test at X's password: Access denied test at X's password: Last failed login: Wed Mar 15 15:44:37 GMT 2017 fromXXXXXX on ssh:notty There were 4 failed login attempts since the lastsuccessful login. Last login: Wed Mar 15 15:14:05 2017 from YYYYYYYYYYYYY [test]$ ? Meanwhile the secure log also shows Mar 15 15:44:27 testbox sshd[4051]: pam_unix(sshd:auth): authenticationfailure; logname= uid=0 euid=0 tty=ssh ruser= rhost=YYYYYYYY? user=test Mar 15 15:44:29 testbox sshd[4051]: Failed password fortest from X port 57118 ssh2 Mar 15 15:44:29 testbox sshd[4051]: Failed password fortest from X port 57118 ssh2 Mar 15 15:44:33 testbox sshd[4051]: Failed password fortest from X port 57118 ssh2 Mar 15 15:44:35 testbox sshd[4051]:pam_faillock(sshd:auth): Consecutive login failures for user test accounttemporarily locked Mar 15 15:44:37 testbox sshd[4051]: Failed password fortest from X port 57118 ssh2 Mar 15 15:44:44 testbox sshd[4051]: Accepted password fortest from X port 57118 ssh2 Mar 15 15:44:44 testbox sshd[4051]:pam_unix(sshd:session): session opened for user test by (uid=0) ? Ie ?I can deliberately mangle the password three times,secure log shows the account has been locked out, but then I can immediatelystill log in. ? ? ? ? Has anybody a link to a configuration that works?cheers ? ian
On Fri, Mar 17, 2017 at 09:41:11AM +0000, Ian Diddams wrote:> I?m looking to configure a centos 7 server to lock out anaccount > after 3 login failures.We use pam_tally2 for this, and it works well. There is a pam_tally2 executable that you can run to look at what accounts are locked and how many failures, as well as reset the lockout. -- Jonathan Billings <billings at negate.org>
On 03/17/2017 02:41 AM, Ian Diddams wrote:> I?ve followed this > > > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-Security_Guide-Securing_Your_Network.html#sect-Security_Guide-Workstation_Security-Administrative_ControlsCan you send the /etc/pam.d/system-auth that you used for your test?
HI all - its sorted.
what I found is imperative is that the tally2 line MUST be the secoind lne in
the system-auth and password-auth files, after the "env.so" line
all good
ian
From: Gordon Messmer <gordon.messmer at gmail.com>
To: CentOS mailing list <centos at centos.org>
Sent: Friday, 17 March 2017, 17:15
Subject: Re: [CentOS] lock out account after 3 failures
On 03/17/2017 02:41 AM, Ian Diddams wrote:> I?ve followed this
>
>
>?
>
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-Security_Guide-Securing_Your_Network.html#sect-Security_Guide-Workstation_Security-Administrative_Controls
Can you send the /etc/pam.d/system-auth that you used for your test?
_______________________________________________
CentOS mailing list
CentOS at centos.org
https://lists.centos.org/mailman/listinfo/centos