Spec 2.7 Lock the user that fails to log in for three consecutive times.
Description: Lock the account that fails to log in for three consecutive times within five minutes and unlock the account 15 minutes later. Multiple failed logins within a short period tend to be violent password cracking attacks.
Implementation guide:
Add the following line in the /etc/pam.d/login file:
account required /lib/security/pam-tally.so deny=3 no-magic-root
Location in the SEK tool: Accounts and Password- > Password life time (SEC.LNX.UP.006) ->Password complexity (SEC.LNX.UP.004)->Password retries(3-10)+
Accounts and Password->Password life time(SEC.LNX.UP.006)-> Password complexity(SEC.LNX.UP.004)->Login limit(SEC.LNX.UP.003)
Security level: medium
Answer:
1. "Password life time" - This policy can be used to set the number of days after which the password will expire.
2. Password Complexity [Password retries]: This parameter will decide the number of times a user can enter the wrong password while changing the password.
Eg : I added a new user "test. Executed the policy "password complexity" with "Password retries parameter = 5".
3. System Authentication > Limit Login retries : For e.g., if we configure this policy as 3, then after trying 3 times with incorrect password the session will drop.
4. Accounts and password > Login Limit : This policy has some connection with the previous policy [Limit Login retries]. If we execute the policy "Login Limit" by selecting "yes", then the user who tried with incorrect password will be locked.
For the above spec, the appropriate policy will be "System Authentication > Limit Login retries".
Note: There is no policy in SEK which will unlock the account 15 minutes later.