LOCKING OUT ACCOUNTS 2

[johngiggs]

I am new to UNIX administration and I am currently testing on a Linux box. I am trying to determine which file I have to modify to change the number of login failures it takes to lock out a user. What is the command to check to see if a user is locked out? I know on Solaris it is /usr/local/sbin/login_limit, but I'm not sure what the command is in Linux. Any help would be greatly appreciated.

Thanks,

John

 

[Morsing]

Look at /etc/login.defs
Not sure how it gets locked. Possibly in the passwd file.

Cheers Henrik Morsing
Certified AIX 4.3 Systems Administration
& p690 Technical Support

 

[PcLinuxGuru]

Well to lock out a user you type:

usermod -L <login name>

To unlock:
usermod -U <login name>

You can read all the options by typing &quot;man usermod&quot;

As far as I know there is no option to lock out a user based on login attempts. Perhaps some third party software does.
Visit

http://www.pcbench.homelinux.net:81/

 

[johngiggs]

PcLinuxGuru,

How do you stop people from attempting to crack someone's account if there is no way to lock out an account after several unsuccessful login attempts? I know that my account in both NT and UNIX gets locked out after 3 unsuccessful login attempts.

Thanks,

John

 

[Morsing]

It's all in login.defs!!!

Cheers Henrik Morsing
Certified AIX 4.3 Systems Administration
& p690 Technical Support

 

[hariog]

/etc/login.defs don't seem to have any variable for no. of failure attempts. Any idea ?

 

[hariog]

Also tried LOGIN_RETRIES n (where n=no. of tries) in /etc/login.defs but no luck.

 

[Morsing]

I must admit I can't find anything about it and I haven't got access to a Linux box. Sorry, can't help you any further.

Cheers Henrik Morsing
Certified AIX 4.3 Systems Administration
& p690 Technical Support

 

[kubla]

From: /etc/pam.d/passwd

All the configuration options are fairly clearly described here.

#
# The PAM configuration file for the Shadow `passwd' service
#

# The standard Unix authentication modules, used with NIS (man nsswitch) as
# well as normal /etc/passwd and /etc/shadow entries. For the login service,
# this is only used when the password expires and must be changed, so make
# sure this one and the one in /etc/pam.d/login are the same. The &quot;nullok&quot;
# option allows users to change an empty password, else empty passwords are
# treated as locked accounts.
#
# (Add `md5' after the module name to enable MD5 passwords the same way that
# `MD5_CRYPT_ENAB' would do under login.defs).
#
# The &quot;obscure&quot; option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs. Also the &quot;min&quot; and &quot;max&quot; options enforce the length of the
# new password.

password required pam_unix.so nullok obscure min=4 max=8 md5

# Alternate strength checking for password. Note that this
# requires the libpam-cracklib package to be installed.
# You will need to comment out the password line above and
# uncomment the next two in order to use this.
# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
#
# password required pam_cracklib.so retry=3 minlen=6 difok=3
# password required pam_unix.so use_authtok nullok md5

http://www.robertgraves.org

 

[yasheen]

Hi Guys,

I need your help with Locking a users password after 3 unsuccessful attempts in Unix. A coligue of mine says I need to download a package that does this. Please advise on how to go about doing the above.

Thanx

 

[PcLinuxGuru]

1) Ask your colleague what package to download?

A) No such thing as far as I know. The autolockout of user account discussion has been around for a very long time.

Unless you write something yourself or actually do find something out please let us all know....

The reason you can't do what you want is that it could be a type of DOS (Denial of Service) attack. If I wanted to lock out a server so no one can use it.... I would just try logging in as root a few times until it is locked out.

Now if I was able to lock out the root account. You can't login to change the passwd back because you can only change passwords as root catch 22. Plus a lot of processes that are required for the server to function are run as root. So you would be facing a re-install.

This is the reason it has never been done. Now nothing is stopping you from making your own PAM module that does do it and perhaps you can make it not lock out root but who knows.....

 

[Morsing]

1) So why does professional Unices behave like this?? It works fine but doesn't apply to root of course.

2) Why would you need to reinstall because of a locked root account??

Cheers

Henrik Morsing
Certified AIX 4.3 Systems Administration
& p690 Technical Support

 

[appi]

Hi Henrik,

this is a simple answer. If you lock the root account you've nobody to unlock this account. Root can only administer by root. But how will you do this if it's locked ?
regards

Uwe

 

[Morsing]

I kind of easy to reset a locked root account. I was a bit surprised someone calling himself &quot;PcLinuxGuru&quot; didn't know that??

Cheers

Henrik Morsing
Certified AIX 4.3 Systems Administration
& p690 Technical Support

 

[PcLinuxGuru]

So how do you reset it? Hmmm go into init 1 which of course will fail becasue it auto logs in as root and behold the account is lock so it fails to log in....

Please inform me if I am wrong...

In fact what I will do is install linux on a test bed and lockout the root account and see for sure...

 

[danielhozac]

Depending on how you lock out the account, it may just disable the password (this is what [tt]usermod[/tt] does). It places a ! in front of the encrypted password in your password file, which is circumvented when you go to run level 1.

//Daniel

 

[hongatchi]

You can get a Linux system to lock out accounts by modifying your pam configuration to use the pam_tally.so library. My RedHat system has documentation on pam_tally within this file &quot;/usr/share/doc/pam-0.75/txts/README.pam_tally&quot;

I've used it successfully by modifying the appropriate /etc/pam.d/ file by adding in the following lines:
auth required /lib/security/pam_tally.so onerr=fail no_magic_root
account required /lib/security/pam_tally.so deny=3 reset no_magic_root per_user

In this example pam_tally will log failed attempts to the default file (/var/log/faillog) and will deny login after 3 failed attemps, but will reset the count after a successfull login. The no_magic_root option will keep root from getting locked out.

Then by using the /usr/bin/faillog command you can view failed login counts. As root you can unlock a user by issuing &quot;/usr/bin/faillog -u <username> -r&quot;

Hope that helps.

 

[tarn]

I know that this was not the original question but; Its simple to recover root password & &quot;All&quot; Unix SysAdmins should know this. The issue here is that there will be downtime involved and if DoS attack can just continue to re-lock it then why would you have something like this enabled?

So for those who &quot;don’t&quot; know how to restore root:

<This example is for Red Hat Linux but could be any Unix>

You need a Linux bootable CD-ROM there are also a few floppy disk mini Linux that you could use, and of course you need physical access to the server.

It always helps to have your system build document available so we know what disks/mount points we have on the system (we all create a build document on install don’t we? If not “DO AN AUDIT NOW”, stop surfing Jobserve an do something useful).

Ok you have the Linux boot disk and CD-ROM, throw both of them into the server and reboot (remember what disks you have ?? /dev/hda1 ? see the build document).

The system starts from floppy and takes you to the first bootloader, at the prompt type linux rescue <CR>
the system goes off and comes back asking you to choose a language.. do so and <CR>, then prompts you for keyboard type, choose and <CR>, you are then informed that you will be taken to a shell and the system will reboot when this shell is terminated <CR>

Now you should be at a prompt, Right, POINTS TO REMEMBER we are running a VIRTUAL OS from the CD-Rom the only place that we can write to is /tmp in this virtual filesystem.
So lets get to work, what we want to do is mount the hard drive and modify the /etc/shadow file?, so this how we do it:
ext2:> mkdir /tmp/pewe <CR>
ext2:>mount -f ext2 /dev/hda1 /tmp/pewe <CR>
ext2:>cd /tmp/pewe/etc <CR>
ext2:>pcio shadow (modify the file “remove the ! from the front of the roots password field” save the file &quot;into its original name&quot; and exit)
ext2:>cd /; reboot (remove the floppy disk & CD-ROM in the process)
Now you will probably find that the system will boot BUT it may stop and ask for you to run fsck (this is only a remote possibility and maybe not in this scenario) so at
(Repair filesystem)1# fsck /dev/hda1 <CR>
and reply YES to the prompts NOW hopefully the system will reboot normally.

And that’s your root account recovered, Now you see why you should keep your servers in secure server rooms? You should see how easy it is with routers if you have physical access to them …. He .. He .. He …

Anyway back to the question: It shouldn’t be so hard to write a script that tails your logfile for repeated login failures within a specific period and then do usermod –L $username; mail –s “$username Your account has been Locked” $username < /docs/some_message_to_call_helpdesk.doc

Hope this helps “ someone”

Laurie

 

[PcLinuxGuru]

Actually I was thinking that if root got locked out then the system would be unable to boot. Mostly because the processes start as root and change to another user.

I have tried locking out root and the system successfully rebooted. The thing I could not do of course was login as root.

Booting to init 1 and running usermod to unlock the account didn't work so manually editing the /etc/shadow file and removing the ! did work...

So in retrospect there is no valid reason in my mind why you would not want to do that... except getting called by people who forgot their passwords.

 

[PcLinuxGuru]

Thanx hongatchi,

I was hoping someone would answer with something more than It's all in login.defs....

Make a FAQ outta it.