Unix administration - Re: How to disable login after too many attempts

This is Interesting: Free IT Magazines  
Home > Archive > Unix administration > December 2004 > Re: How to disable login after too many attempts





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Re: How to disable login after too many attempts
Michael Vilain

2004-12-05, 5:51 pm

In article <36f36d84.0412050541.5a370f84@posting.google.com>,
googlemail2003@yahoo.com (Carol) wrote:

> "vilain@spamcop.net" <michael.vilain@gmail.com> wrote in message
> "news:<1102202809.388515.101270@f14g2000cwb.googlegroups.com>...
[vbcol=seagreen]
> Denial of service is not a problem. Our machine is on an internal
> network only.
>
> It does log failed login attempts.

So start writing cron scripts to scan for failed login attempts. They
should disable the account and log their activity. If your OS doesn't
have any command line feature to change the password file (e.g. user
account management commands), then you'll have to worry about file
locking. I'd also not do this for root and only allow root to login on
the system console and not remotely. That way you put the console
behind a card-key accessed door for a record of who and when they
entered. If you move to some other kind of authentication service like
NIS or LDAP, you'll have to modify this approach appropriately.

Sounds like you need to hire a security specialist to review your
standards and practices. You require passwords be changed regularly,
right? And your system keeps a history so they can't be reused, right?
Most of these modern security features are missing from UNIX (DEC had
them on VMS back in 1993 when I last touched a VAX).

>
> What we are trying to do is standard in all large companies for their
> employees. It's also standard for health sites and bank sites. Too
> many incorrect login attempts disables the account.
>
> I know there are ways to do this manually which would require writing
> our own login script. What I'm after is a system function that does
> it. I believe it's there I just don't know where to look.
>
> This request is becoming a company standard. It's a huge health
> insurance company with about 60,000 employees. They want to
> standardize procedures in all offices (good luck!). Anyway, someone
> will be coming to scrutinize our security methods and this has to be
> one of them. Believe me I wouldn't be doing this if I didn't have to.

Well, companies are welcome to demand anything they want if they wave
enough money in front of a vendor. If the vendor no longer exists (e.g.
DEC), then you buy the solution from someone who's already done it or do
it in-house.

Good luck with that. You still haven't answer the question "Who comes
in after hours (e.g. 2am on Sunday morning) to reset a disabled account?"

--
DeeDee, don't press that button! DeeDee! NO! Dee...



Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com