Wednesday, August 17, 2011

Linux password policy

Linux password lockout policy can be configured using PAM "Pluggable Authentication Modules" to lock a user’s account temporarily if they attempt to bruteforce into an account by trying various password combinations. This configuration uses the pam_tally2.so module. Bruteforce hacking is a method to find a user’s password by trying to login with various password combinations. By having a password lockout policy such users can be locked out of their account if a certain number of incorrect passwords are entered. While trying this tutorial in your system make sure you have the file /lib/security/pam_tally2.so if it isn’t there trying this out will lock all user accounts even if you enter the correct password.
Using a text editor open the following file
/etc/pam.d/system-auth
add the following text to the second line.
auth required pam_tall2.so deny=3 unlock_time=3600
The above statement will lock an user account if incorrect passwords are entered three or more times as specified in the deny option. The account will be unlocked after 3600 seconds as specified in the unlock_time option. Choose the number of incorrect attempts and unlock time wisely. There is also another option which will enforce this policy for the root user.
auth required pam_tall2.so deny=3 unlock_time=3600 even_deny_root
The even_deny_root will lockout the root user also. So use this option with caution. After this is done add another line in the account section in the same file
account required pam_tally2.so
Save the /etc/pam.d/system-auth file, before testing your configuration open another terminal and try to login as any user with a CORRECT password, if you’re unable to login at this stage there is something wrong with the /etc/pam.d/system-auth file. If you’re able to login successfully try by logging in using the correct username and wrong password. Each time you try execute the following command as root to find the number of authentication failure attempts.
pam_tally2
or
pam_tally2 -u username
to see information regarding a specific user (Replace username with the actual user).
If you enter the incorrect password for certain number of times the following message will appear as soon as the username is entered
Account locked due to 4 failed login attempts
To manually unlock the account before the unlock_time use the following command
pam_tally2 -u username -r
A more conservative usage of the above command is to deduct the number of times the user has logged in unsuccessfully. For example, if the password retries is 3 and user Alice has tried logging in with an incorrect password 4 times, using the above command to unlock the account will give another 3 tries for the username Alice which might give more attempts for a potential hacker. Instead the incorrect attempts counter value can be set to 2 so that Alice has just one more attempt.
pam_tally2 -u username --reset=2
will set the incorrect password counter for the user to 2.
In case the root user is locked out and you immediately need to login as root, boot your system into single user mode and execute the following command.
pam_tally2 -u root -r