Re: Locking the failed login attemp

From: Richard L. Hamilton (Richard.L.Hamilton_at_mindwarp.smart.net)
Date: 07/21/04 

Date: Wed, 21 Jul 2004 12:45:30 -0000

In article <vilain-4B65AB.02465221072004@comcast.dca.giganews.com>,
        "Michael Vilain <vilain@spamcop.net>" writes:
> In article <4996bd47.0407210012.7560f36a@posting.google.com>,
> heiskr1s@hotmail.com (Kristianto) wrote:
>
>> Hello gurus,
>>
>> Is there anyway to lock a user account after, say 3, failed login attempts?
>>
>> I know that solaris drops the tty after 5 (default). This, however, is not
>> what the customer wants.
>>
>> They want the account "locked" and possibly a message displayed to the user.
>>
>> I know this take risk, specially for the failed root password.
>>
>> Thanks in Advance
>>
>> Kristianto
>
> This is ill-advised as it's an opportunity for a denial of service
> attack. All someone would need is a list of accounts and they could
> lock them all out. Is there some external security requirement they
> need to fulfill?
>
> Solaris can't do this out-of the box. It would require installing a
> custom PAM. There are some that do this. Google for them.

If I were bound and determined to accomplish that with a custom PAM, I'd
modify it to have two config files:
* a list of accounts _not_ to lock that way
* a list of accounts on the first list that had repeated failures, so that
it could do something less obnoxious to them (say an
extra 30 second time delay and logging to all and sundry, the former to
make automated attacks unreasonably slow&obvious, the latter to make people
obvious)

> Does Solaris 10 will have this feature? Installing that might be your
> solution.

If it does, I hope it has a configurable list of accounts _not_ to lock. 

-- 
mailto:rlhamil@smart.net  http://www.smart.net/~rlhamil