RH415 - ch05s06

Implement restrictions that cause accounts to lock automatically after a specified number of failed logins, test the restriction, and use administrative tools to manually unlock locked accounts.

Outcomes

Configure the pam_faillock module to lock accounts after a set number of failed logins.
Test the locking operation.
Manually unlock a locked account.

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available.

[student@workstation ~]$ lab start pam-limiting

Instructions

Edit the /etc/security/faillock.conf configuration file on the serverc machine to set a limit of five failed attempts in a 15-minute (900-second) interval. Configure the locked accounts to automatically unlock after 15 minutes (900 seconds). Do not apply account locking to the root account.
1. Log in to the serverc machine as the student user. No password is required.
```
[student@workstation ~]$ ssh student@serverc
[student@serverc ~]$
```
2. Use the sudo -i command to switch your identity to the root user. Use student as the password.
```
[student@serverc ~]$ sudo -i
[sudo] password for student: student
[root@serverc ~]#
```
3. Use a text editor to modify the /etc/security/faillock.conf configuration file to lock accounts after five failed login attempts, and to unlock after 15 minutes (900 seconds). Read through the options in the file to know what each line modifies. Uncomment and modify the lines to match the following parameters:
```
deny = 5
unlock_time = 900
```
4. Use the authselect select minimal with-faillock command to apply the minimal authselect profile with the with-faillock option.
```
[root@serverc ~]# authselect select minimal with-faillock
...output omitted...
Profile "minimal" was selected.
...output omitted...
```

Verify that the operator2 account locks after five failed login attempts by using the ssh operator2@localhost command. Enter an incorrect password at least five times before attempting to use the correct redhat password.

Use the ssh operator2@localhost command to fail to log in, by using an incorrect password. Because the ssh command prompts for a password only three times, run the command again after the first three incorrect attempts.

[root@serverc ~]# ssh operator2@localhost
...output omitted...
operator2@localhost's password: wrongpass1
Permission denied, please try again.
operator2@localhost's password: wrongpass2
Permission denied, please try again.
operator2@localhost's password: wrongpass3
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
[root@serverc ~]# ssh operator2@localhost
operator2@localhost's password: wrongpass4
Permission denied, please try again.
operator2@localhost's password: wrongpass5
Permission denied, please try again.
operator2@localhost's password: wrongpass6
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

Confirm that the operator2 account is locked by attempting to use the ssh operator2@localhost command with the correct redhat password.

[root@serverc ~]# ssh operator2@localhost
operator2@localhost's password: redhat
Permission denied, please try again.
operator2@localhost's password: redhat
Permission denied, please try again.
operator2@localhost's password: redhat
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

Use the faillock --user operator2 command to list the invalid login attempts.

[root@serverc ~]# faillock --user operator2
operator2:
When                Type  Source                                 Valid
2018-07-12 18:42:22 RHOST localhost                                  V
2018-07-12 18:42:25 RHOST localhost                                  V
2018-07-12 18:42:29 RHOST localhost                                  V
2018-07-12 18:42:35 RHOST localhost                                  V
2018-07-12 18:42:40 RHOST localhost                                  V

Because you configured pam_faillock to lock accounts after five failed attempts, the operator2 account is now locked.

Unlock the operator2 account and confirm that the user can log in again.

Use the faillock --user operator2 --reset command to unlock the account.

[root@serverc ~]# faillock --user operator2 --reset
[root@serverc ~]#

Use the faillock --user operator2 command to confirm that the account is unlocked.

[root@serverc ~]# faillock --user operator2
operator2:
When                Type  Source                                 Valid

Log in to the operator2 user by using the ssh operator2@localhost command with the correct redhat password. Log out of the operator2 user when done.

[root@serverc ~]# ssh operator2@localhost
operator2@localhost's password: redhat
...output omitted...
Last failed login: Fri Oct  6 18:52:52 EDT 2023 from ::1 on ssh:notty
There were 8 failed login attempts since the last successful login.
...output omitted...
[operator2@serverc ~]$ logout
[root@serverc ~]#

Return to the workstation machine.

[root@serverc ~]# logout
[student@serverc ~]$ logout
[student@workstation ~]$

Finish

On the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish pam-limiting

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-9.2-a821299