I have a redhat 7.1 system. I'm trying to limit the number of login failures to prevent brute-forcing passwords. To do this I changed /etc/pam.d/system-auth to contain this:
auth required /lib/security/pam_env.so auth required /lib/security/pam_tally.so no_magic_root auth sufficient /lib/security/pam_unix.so likeauth nullok auth required /lib/security/pam_deny.so account required /lib/security/pam_tally.so deny=5 no_magic_root account required /lib/security/pam_unix.so password required /lib/security/pam_cracklib.so retry=3 password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so Is this the right way of doing it? I want to make sure that no matter what way someone tries a password it will count towards the limit of 5 failures. I would prefer to have it autounlock after a certain time of no password tries, but then I found a problem. It seems that when trying a password through telnet or ftp or whereever, if it is the wrong password there will be a delay of a few seconds. If it is the right password but the account is locked out, there will be no delay. Thus you can still brute force a password with this locking enabled, and if the lock count is cleared after an hour of no attempts, you could then login with the brute forced password. Am I going about this the wrong way? How should I do this? Andreas _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
