Date: Tue, 5 Feb 2008 11:04:57 -0800 From: Chuck Swiger <cswiger@mac.com> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: Tuan Ho <taho89@hotmail.com>, freebsd-questions@freebsd.org Subject: Re: Help on freeBSD 4.10 Message-ID: <F26921D5-79A0-4767-8B99-FA11FECE67BB@mac.com> In-Reply-To: <47A809BC.2000608@infracaninophile.co.uk> References: <BAY104-W2950C28F322C2E997A2E98DC330@phx.gbl> <4E314437-2B3E-4FC1-9825-5E08DA278635@mac.com> <47A809BC.2000608@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Feb 4, 2008, at 11:01 PM, Matthew Seaman wrote: >>> As an administrator, how can i disable an account after three >>> consecutive unsuccessful login attempts? >> >> As root, you could run: >> >> chsh -s /usr/sbin/nologin _user_ > > Um... I don't think that's quite what the OP meant. He wants to > automatically > lock out anyone that fails 3 times to supply the right password. Perhaps, although I preferred to answer the question which was actually asked in this case, since automatically locking out accounts results in a trivial denial-of-service condition whenever anyone happens to do a brute-force scan on the machine in question. > See login.conf(5), particularly these entries: > > login-backoff number 3 The number of login > attempts allowed > before the backoff delay is > inserted > after each subsequent > attempt. The > backoff delay is the number > of tries > above login-backoff > multiplied by 5 > seconds. > login-retries number 10 The number of login > attempts allowed > before the login fails. > > Note that this applies only to the login(1) program and so applies to > textmode logins directly on the console. Other applications like > xdm(1) > have different controls, as do applications that provide remote access > like ssh(1). Have you actually tried setting these? They make the system add a pause if the wrong password is entered several times, but they will not actually lock the account. -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F26921D5-79A0-4767-8B99-FA11FECE67BB>