Sorting bits into bytes...

Linux Pluggable Authentication Modules (PAM)

I don’t recommend changing these settings. But due to pen testing the Application Remote Collector kept locking me out. On every other day I would leave the settings as they are, but in order to have a productive day I had to change them.
Like with any Linux box you can easily manipulate lockout times and number of unsuccessful attempts before a lockout happens.

How?

Edit /etc/pam.d/system-auth with your favorite editor and change the values accordingly.

The default values:
root@arc [ ~ ]# cat /etc/pam.d/system-auth
# Begin /etc/pam.d/system-auth
auth required pam_env.so
auth required pam_tally2.so onerr=fail deny=3 unlock_time=900 root_unlock_time=900 file=/var/log/tallylog
auth required pam_unix.so
auth optional pam_faildelay.so delay=4000000

onerr=fail –> If an error is hit, just fail
deny=3 –> Lock account after 3 failed login attempts
unlock_time=900 –> In secondes time to wait before unlocking account
root_unlock_time=900 –> Even root had to wait before the account is unlocked

New values:

root@arc [ ~ ]# cat /etc/pam.d/system-auth
# Begin /etc/pam.d/system-auth
auth required pam_env.so
auth required pam_tally2.so onerr=fail deny=5 unlock_time=60 root_unlock_time=60 file=/var/log/tallylog
auth required pam_unix.so
auth optional pam_faildelay.so delay=4000000

 

Be sure to change the values back to default!

Leave a Reply