Re: ftp/sftp user account lockout threshold

From: Bill Tangren <bjt@xxxxxxxxxxxxx>
Date: Tue, 24 Jul 2007 13:17:01 -0400

Johan Booysen wrote:

Bill,

Firstly, something I don't quite understand is where on that page the
author says:

"The no_magic_root option ensures that accounts with a UID of 0 are
tallied. You can change this option to magic_root to reverse this
behaviour."

Does this mean that the root account will potentially be locked out?

No. It simply allows me to keep an eye on failed su's to root the way I keep track of other users failed attempts to log in.

Surely not, but I don't understand what the no_magic_root/magic_root
would then do.

Also, the author says:

The last option, per_user, allows you to exclude accounts from locking
if the accounts have a maximum login failure set explicitly. This
exclusion of accounts allows you to specify some accounts that won't be
locked and thus prevent them being the target of a potential Denial of
Service attack. I recommend you exclude any accounts whose disablement
will cause availability issues for applications or databases, for
example the user account that runs a database process. Account exclusion
are specified using the faillog command:

# faillog -u mysql -m -1

What are your views on doing this for all service accounts?

I don't worry about it. ssh is the only way into my system remotely, and I only allow a very limited range of IP numbers to even get a login prompt, and those are restricted to only certain valid user accounts.

Thanks again.

Johan

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

References:
- RE: ftp/sftp user account lockout threshold
  - From: Johan Booysen

Prev by Date: RE: ftp/sftp user account lockout threshold
Next by Date: SMBmount conspiracy
Previous by thread: RE: ftp/sftp user account lockout threshold
Next by thread: Deny directory listing on vsftpd anonymous upload
Index(es):
- Date
- Thread

Relevant Pages

Re: Create Multiple Accounts
... WScript.Echo "125 User accounts created" ... combined with some VBScript makes everything easier. ... The other fields will obviously be different per user account. ... Dim intCounter, intAccValue, intPwdValue ...
(microsoft.public.windows.server.scripting)
Re: Create Multiple Accounts
... WScript.Echo "125 User accounts created" ... The other fields will obviously be different per user account. ... Dim intCounter, intAccValue, intPwdValue ...
(microsoft.public.windows.server.scripting)
Re: Cannot access some web sites
... Have you tried creating a new user account? ... one or two user accounts. ... > Turned off Norton AV ... >> Enable the Windows firewall and disable the Norton firewall. ...
(microsoft.public.windows.inetexplorer.ie6.browser)
Re: Migrating nt4 accounts/computers to win2kAD
... > win2k domain used primarily for email. ... > profiles and migrate any other system and computer accounts needed. ... > have kept the user account information and passwords the same in both ... Which of the NT4 system accounts, if any, will we need to migrate? ...
(microsoft.public.win2000.active_directory)
Re: "Send As" Permissions
... I don't know if I need to give those accounts that I listed ... Full Mailbox Access on the user account. ... Prior to this patch, Full Mailbox Access apparently also allowed one to ...
(microsoft.public.exchange.admin)