Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations sizbut on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Auto Account Lockouts in *nix 1

Status
Not open for further replies.
PcLinuxGuru

PcLinuxGuru

Technical User
Nov 17, 2001
178
US
There is a discussion in another forum about account lockouts. From what I have read and heard from both Unix and Linux forums, friends and colleagues it isn't advisable because it could actually be a type of DOS attack. For example I try logging into a server as root a few times and the root account gets locked out or some other daemon accounts or all of them....

I am going to lockout the root account on a test machine and see if there is a way to unlock it... like going to init 1 and try resetting it.

Am I wrong in my thinking or am I misinformed?

 
Sort by date Sort by votes
Well same goes for NT or 2000. You can't lock out the administrator account (by default). That could totally screw things up, and would open all windows machines to a new DOS attack. Same goes for users running services (daemons). Smack that username around until it locks out, thus making that service unavailable...DOS attack.

Best way to combat this is using strong passwords, and keeping an eye on the logs. See someone brute forcing an account that can't be locked out...ban their IP.

So in one sentence.....
Admin/root accounts or service/daemon related accounts should not have lockout polices applied to them due to possible DOS attacks against that username.

Cool upcoming game! Check it out!
!
 
Upvote 0 Downvote
A lockout of root on a POSIX system is not as catastrophic as a lockout of the Admin account on Windows. As you pointed out, you can always boot to single-user mode to recover from a lockout of root. I'm not a Windows expert, but I do not believe there is an easy way to unlock the Admin account in Windows (assuming you made changes that allowed Admin to get locked in the first place).

However, allowing your Admin/root account to be locked out by a remote user is still a pain. Imagine having to boot to runlevel 1 every morning until the attacker got bored with your system (or until he guessed the password!).

I believe a better solution is to disallow remote logins as root, and disable locking out root from too many wrong passwords.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
329
AllenH12
AllenH12
disturbedone
  • Locked
  • Question
proxy.pac not working correctly in IE11
Replies
0
Views
163
disturbedone
disturbedone
decyberworld
  • Locked
  • Question
Where start-up config and capture file saved in ASA
Replies
0
Views
115
decyberworld
decyberworld
basball
  • Locked
  • Question
Punching a whole in DMZ
Replies
1
Views
107
joepc
joepc
EdwardMcClelland
  • Locked
  • Question
Google DNS works with Sonic-wall installed. Cox doesn't.
Replies
1
Views
167
ChrisHirst
ChrisHirst

Part and Inventory Search

Sponsor

Back
Top