Re: ftp/sftp user account lockout threshold

Johan Booysen wrote:
> Bill,
>
> Firstly, something I don't quite understand is where on that page the
> author says:
>
> "The no_magic_root option ensures that accounts with a UID of 0 are
> tallied. You can change this option to magic_root to reverse this
> behaviour."
>
> Does this mean that the root account will potentially be locked out?

No. It simply allows me to keep an eye on failed su's to root the way I keep track of other users failed attempts to log in.

> Surely not, but I don't understand what the no_magic_root/magic_root
> would then do.
>
> Also, the author says:
>
> The last option, per_user, allows you to exclude accounts from locking
> if the accounts have a maximum login failure set explicitly. This
> exclusion of accounts allows you to specify some accounts that won't be
> locked and thus prevent them being the target of a potential Denial of
> Service attack. I recommend you exclude any accounts whose disablement
> will cause availability issues for applications or databases, for
> example the user account that runs a database process. Account exclusion
> are specified using the faillog command:
>
> # faillog -u mysql -m -1
>
> What are your views on doing this for all service accounts?

I don't worry about it. ssh is the only way into my system remotely, and I only allow a very limited range of IP numbers to even get a login prompt, and those are restricted to only certain valid user accounts.

>
> Thanks again.
>
> Johan
>

-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list