[SunHELP] To disable login if failed for 3 attempts.

Leon Halford sunhelp at sunhelp.org
Wed Oct 24 07:06:37 CDT 2001


Two options:

1. Budget method

Experiment with /etc/default/login parameters SYSLOG_FAILED_LOGINS
(maybe SLEEPTIME as well if that interests you). The first parameter
will log an entry to syslog after X repeated failed logins.
Simply poll (tail -f or via a pipe) /var/adm/messages. When you see the
appropriate message, issue the command "passwd -l <username>". A very
simple shell script. This method will not however provide feedback to
the user, they will only see the message "Login Failed" even after the
account is locked, thus you would need to include an email message in
the same script to inform the unwary user.
"man login" for more details on /etc/default/login.

2. Write a custom PAM module

The most flexible way is to utilize the PAM interface so that all
existing commands like rsh, rlogin, telnet, ftp, su, CDE etc work
effortlessly. 
Sample PAM modules are available from Sun in the downloads area. PAM
provides a high-level API for authorisation, account management,
password management, and session management. The RETRIES option within
/etc/default/login is apparently useful in this context. 
"man pam" for more details or visit docs.sun.com.

This method would easily allow interactive feedback to the user upon the
Xth failed login via printf or equivalent.

To answer your 2nd idea:

You cant lock an account for "wrong username" as obviously that account
does not exist in the first place. 
Also it is a security concern to notify a user that there is "no such
account" or even "wrong password" as it clearly identifies an account is
present on the system, hence why "login failed" is always used.

Personally I think 3 failed logins is a bit excessive to lock an account
- most people can easily manage mistyping their passwords wrong 3x in a
row. Prepare your helpdesk accordingly!


-----Original Message-----
From: sunhelp-admin at sunhelp.org [mailto:sunhelp-admin at sunhelp.org] On
Behalf Of C, Guruprasad (MED)
Sent: 24 October 2001 06:52
To: 'sunhelp at sunhelp.org'
Subject: [SunHELP] To disable login if failed for 3 attempts.

Greetings,
I have one question.
How to disable login (telnet or ftp or any rlogin) and warn user(display
text message), if user failed to login 3 times, may be due to wrong
password
or wrong user name.
Is it a standard security service provided by any OS or do we have to
implement it ?.
I will sumarize the answer for the list.

Thanks in Advance,
Guru.


"THIS E-MAIL MESSAGE ALONG WITH ANY ATTACHMENTS IS INTENDED ONLY FOR THE
ADDRESSEE and may contain confidential and privileged information.
If the reader of this message is not the intended recipient,
you are notified that any dissemination, distribution or copy of this 
communication is strictly Prohibited. 
If you have received this message by error, please notify us 
immediately, return the original mail to the sender and delete the 
message from your system."

_______________________________________________
SunHELP maillist  -  SunHELP at sunhelp.org
http://www.sunhelp.org/mailman/listinfo/sunhelp




More information about the SunHELP mailing list