How will you implement account lockout policy in linux?
soln:-
PAM_TALLY
* ability to tally failed login attempts and take actions
* Denies user access to the system based on no: of failed login attempts
* This feature / module not enabled by default
* uses /var/log/faillog - logs failed logins
* manipulate failed login counters
which pam_tally ?
/usr/sbin/pam_tally (i.e it is a root enabled utility)
* pam_tally --user username :- displays the count of the username
resetting a failed login counter:-
pam_tally --reset=n --user=username
Add the following line to /etc/pam.d/common-auth
auth required pam_tally.so deny=3 unlock_time=1800
NB:- tested in centos -5.5
for ubuntu systems see:- http://blog.bodhizazen.net/linux/ubuntu-how-to-faillog/
No comments:
Post a Comment