HPE Community
Operating System - HP-UX
1833648 Members
4840 Online
110062 Solutions
New Discussion

Block account in failed attempts

 
SOLVED
Go to solution
Dacosta
Occasional Contributor

‎10-05-2006 03:35 AM

‎10-05-2006 03:35 AM

Block account in failed attempts

Hi:

I need to block accounts in my HP-UX after 6 failed attempts. There is some file or argument to activate this setting? maybe in /etc/default/security? and for unblock those accounts after X time?

Thanks,

David Acosta
0 Kudos
Reply
8 REPLIES 8
Pete Randall
Outstanding Contributor

‎10-05-2006 03:45 AM

‎10-05-2006 03:45 AM

Re: Block account in failed attempts

David,

The latest versions of /etc/default/security have this feature. I checked the man pages for 11iV2:

http://docs.hp.com/en/B2355-90846docs/B2355-90846docs.pdf

As I recall this was not available in earlier versions, but may be available via patch.


Pete

Pete
Reply
Pete Randall
Outstanding Contributor

‎10-05-2006 03:56 AM

‎10-05-2006 03:56 AM

Re: Block account in failed attempts

It also shows up in 11iV1 man pages:

http://docs.hp.com/en/B2355-90696/security.4.html


Pete


Pete
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎10-05-2006 04:24 AM

‎10-05-2006 04:24 AM

Solution

Re: Block account in failed attempts

The only controls for deactivating logins after some number of attempts are with a Trusted System. There is no counter to track failed logins in a standard system. There is a new product that creates an enhacned security database that works without the Trusted system conversin but it is only available for version 11.23 (11i v2):

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=StdModSecExt

You never want an automatic unblock -- if an account was blocked due to too many tries, a human must make a judgement decision about whether this was some fumble fingers or a possible attack on the system.


Bill Hassell, sysadmin
Reply
Pete Randall
Outstanding Contributor

‎10-05-2006 04:58 AM

‎10-05-2006 04:58 AM

Re: Block account in failed attempts

Hmmmmm, the man page for security says nothing about the system having to be trusted in order to implement the NUMBER_OF_LOGINS_ALLOWED parameter. Many of the other parameters do require that the system be trusted and this is spelled out in the man page.

Must be a mistake in the man page . . . .


Pete

Pete
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎10-05-2006 05:35 AM

‎10-05-2006 05:35 AM

Re: Block account in failed attempts

Never mind - I was completely mis-interpreting the meaning of the parameter. I should know better than to think Bill would be wrong!!


Pete

Pete
0 Kudos
Reply
Dacosta
Occasional Contributor

‎10-05-2006 05:39 AM

‎10-05-2006 05:39 AM

Re: Block account in failed attempts

Hi:

The parameter "NUMBER_OF_LOGINS_ALLOWED" controls the number of logins allowed per user (concurrent logins) but not the failed logins for block accounts... I think that this feature is not implemented yet in HP-UX older than 11.0...

Somebody knows about other tool or "trick" for this thing?

Thanks,

David
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎10-05-2006 05:40 AM

‎10-05-2006 05:40 AM

Re: Block account in failed attempts

NUMBER_OF_LOGINS_ALLOWED actually means how many sessions (login shells) can be started by the same user. For 11.23 (only), the userdb feature AUTH_MAXTRIES can be setup but I believe that this requires the optional enhanced security product (an alternative to Trusted):

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=StdModSecExt

For a Trusted system, you use SAM to set the system security policies (Audititing --> System Security --> General User policies.


Bill Hassell, sysadmin
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎10-05-2006 08:37 AM

‎10-05-2006 08:37 AM

Re: Block account in failed attempts

If your system is not Trusted at 11.00, you'll have to create your own script to monitor lastb results. It will be tricky because lastb reports failed attempts and the date/time but cannot report that a successful login occured that cancels the previous attempts. So the script would have to look for close attempts, count them and then lock the account using passwd -l for 11.00
I
don't have a 10.20 system to see if it has the -l option for passwd. If not, you'll have to use sed to replace password field in the locked account with an invalid value. Now I'm not a fan of just stuffing a "*" in the passwd file. It doesn't say very much -- it does disable the login but without a reason. To disable a login in an untrusted system, you simply put any string less than 13 characters in the field. For instance:

LOCKED EXPIRED TERMINATED

are all valid lockout strings. I like to use UPPERCASE so it stands out but lowercase is just as effective.


Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.