How to disable login after too many attempts

How to disable login after too many attempts: Posted by Carol on December 4th, 2004; I want to disable a user's password after they have tried
unsuccessfully to login three times. I looked at the 'passwd' command
and also the /etc/default/passwd file but did not find anything
pertinent. The most I found was the ability to disconnect the session
after three attempts. However the user can reconnect and keep trying.

Our operating system is an antique - DC/Osx. It is similar to the OS
on a Sieman's machine running ATT4.

Thanks; Posted by phn@icke-reklam.ipsec.nu on December 4th, 2004; Carol <googlemail2003@yahoo.com> wrote:
You might seek another solution. Locking out users automatically
is a good way to create Denial of services.

Better let the intruder continue, make shure the password will
never match and start tracing him (and have the authoryties with you)

A non-working password can be obtained by adding a character to the hash,
thus disabling any matches. Changing the shell to /bin/false will also
make shure he never gets in.

--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.; Posted by vilain@spamcop.net on December 4th, 2004; Another has already said this isn't a Good Thing (tm) because of the
possibility for denial of service. Where is this requirement coming
from? Security auditors or some new PHB who doesn't know their tush
from toilet paper?

As you've discovered, older systems don't do this unless you hack them.
Unless your OS detects password failure attempts and logs them, you'll
have to get source code to do modifications (got source?). Then you
could scan the log file for the attempts and somehow disable the
account. All this has to be done very carefully as to not corrupt the
password file and make the system completely unusable.

Go back and ask the requester how important this is and how much effort
they're willing to invest. Also ask who's responcible for coming in
after hours to unlock an account when some manager can't get in because
they forgot their password.; Posted by Carol on December 5th, 2004; Denial of service is not a problem. Our machine is on an internal
network only.

It does log failed login attempts.

What we are trying to do is standard in all large companies for their
employees. It's also standard for health sites and bank sites. Too
many incorrect login attempts disables the account.

I know there are ways to do this manually which would require writing
our own login script. What I'm after is a system function that does
it. I believe it's there I just don't know where to look.

This request is becoming a company standard. It's a huge health
insurance company with about 60,000 employees. They want to
standardize procedures in all offices (good luck!). Anyway, someone
will be coming to scrutinize our security methods and this has to be
one of them. Believe me I wouldn't be doing this if I didn't have to.

"vilain@spamcop.net" <michael.vilain@gmail.com> wrote in message news:<1102202809.388515.101270@f14g2000cwb.googleg roups.com>...; Posted by phn@icke-reklam.ipsec.nu on December 6th, 2004; Carol <googlemail2003@yahoo.com> wrote:
Exactly how would that protect against attacks ? Emplyoees are known
to be hostile sometimes ..

There is no such "standard".

Whats huge with that ?
You should not be doing things 'cause' some teenager "security officer" says so.
You should be doing things that is "Good for your Health" and in
agreement with "recogniced best practices".

--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.; Posted by googlemail2003@yahoo.com on December 6th, 2004; Nobody has to come in at 2 am. If a user's account is locked they call
me or someone else with root privelidges and we reset their password.

There is an understanding in our office that support is only available
between 7 am and 9 pm weekdays. If they screw up off hours they have
to wait.

Michael Vilain <vilain@spamcop.net> wrote:; Posted by Dave Hinz on December 6th, 2004; On 5 Dec 2004 05:41:20 -0800, Carol <googlemail2003@yahoo.com> wrote:

Then they should spring for an LDAP appliance that supports account locking
with the authentication. LDAP-One is one option.

Dave Hinz; Posted by phn@icke-reklam.ipsec.nu on December 6th, 2004; googlemail2003@yahoo.com wrote:

Did it ever occur to you that your or root's account might be locked out ??

--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.; Posted by Bit Twister on December 6th, 2004; On 6 Dec 2004 06:30:09 -0800, googlemail2003@yahoo.com wrote:
So all the attacker does is disable an account with three attempts,
call you and you give him the passwd. Now that is secure.; Posted by Jim Hollenback on December 6th, 2004; phn@icke-reklam.ipsec.nu wrote:
: googlemail2003@yahoo.com wrote:
: > Nobody has to come in at 2 am. If a user's account is locked they call
: > me or someone else with root privelidges and we reset their password.

: Did it ever occur to you that your or root's account might be locked out ??

A properly designed system that employees lock out on the accounts will always
allow logins on the console for root. Of course, that might involve a drive in
during a cold snowy or rainy night :-(

--
Jim Hollenback
jholly@cup.hp.com
my opinion.

Similar Posts

Privacy: How to clear previous SKYPE login attempts? (Software & Applications) by Emily
Log Login attempts :) (Routers) by Salvatore Ansani
disable prompt for new partnership with other login IDs (Mobile Devices) by john kirby via PocketPCJunkies.com
how to track where user attempts login (Windows Server) by David H
Logging Failed and successfull Login Attempts. (Routers) by James Roper