On Fri, Oct 06, 2006 at 12:56:43PM -0400, stuartv wrote:
> Hello list,
>
> The company I work for is required to get PCI (Payment Card
> something-or-other) certified in order to keep doing some of the things that
> we
> are doing with credit card payments. When I started working here it was an
> all MS
> shop, including the FTP server. In order to help secure things (at all), I
> talked the boss into letting me setup an OpenBSD server as the FTP server
> instead of
> windows2003. Since then, I have also setup firewalls, mail server, IDS etc.
> all based
> upon OpenBSD (and loving every minute of it). However, now that we need
> this cert,
> one of the few things still standing in the way is the requirement that we
> set up
> the FTP server to lockout (for 30min.) any account that fails to login 3
> times in a row. I haven't been able to find any ftp software that does
> that. The FTP server that ships with OpenBSD uses system accounts, and I
> haven't
> figured out how to do that there either.
>
> If I don't get this figured out soon, The boss will loose patience and I
> will be right
> back to MS hell trying to secure a win2003 ftp server just because it will
> lockout
> an account that fails login 3 times in a row. (and then probably figure out
> how to
> setup a win2003 firewall, IDS, exchange server, etc etc etc... you get the
> pic)
>
> If anyone has any suggestions, please let me know.
How about writing a login_* program for /usr/libexec/auth? It would be
sufficient to check if there have been too many login attempts recently,
and if not, call /usr/libexec/auth/login_passwd (or similar), and pass
the response.
There is quite a bit of information in login.conf(5). You'll also need
to modify this file, so it's a good place to start.
Joachim
