PaulDotCom mailing list archives
ESX Password Lockout Policies
From: gbugbear at gmail.com (Tim Mugherini)
Date: Fri, 18 Sep 2009 12:22:03 -0400
After chatting with Carlos and Mick about VMWare & ESX account lockout policies (or lack thereof) during the pre show last night, I thought I would start an email string here. Carlos had mentioned something last night about integration with AD policies. A while back someone had popped this into the IRC channel (Carlos I think it was you actually). http://blog.securitywhole.com/2009/09/01/brute-force-esx-usernamepassword.aspx So some sysadmins here came up with the following for the ESX console (warning have not tested yet). ------------------ To configure the ESX service console to disable the account after three unsuccessful login attempts, add the following lines to /etc/pam.d/system-auth: auth required /lib/security/pam_tally.so no_magic_root account required /lib/security/pam_tally.so deny=3 no_magic_root To create the file for logging failed login attempts, execute the following commands: touch /var/log/faillog chown root:root /var/log/faillog chmod 600 /var/log/faillog ------------------- Of course a major disadvantage here would be DDOS by locking our any built in accounts so a more robust solution would be desired. Thoughts? Might make an interesting blog post ;) Thanks Tim -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090918/77564c94/attachment.htm
Current thread:
- ESX Password Lockout Policies Tim Mugherini (Sep 18)
- ESX Password Lockout Policies Ben Greenfield (Sep 21)
- ESX Password Lockout Policies Carlos Perez (Sep 21)
- ESX Password Lockout Policies Tim Mugherini (Sep 22)
- ESX Password Lockout Policies Carlos Perez (Sep 21)
- ESX Password Lockout Policies Ben Greenfield (Sep 21)