How to automatically lock user accounts after x failed login attempts

Hi there ,

Could someone point me in the right direction for howto automatically lock user accounts on FreeBSD 11.0-RELEASE-pX after a number of failed login attempts and optionally to automatically unlock the account again after a specified time?.

Many thanks daz
 
The easiest way is to use security/sshguard. This doesn't actually touch the accounts themselves but does severely hinder those brute-force attacks. Alternatively on 11.0 and higher you can use blacklistd(8). Although I'm still trying to figure out how to actually use it, documentation is rather scarce.
 
Hi SirDice, Thanks for the info but its not address blocking that we require as most users will connect from the same ip address!
 
Thanks for the info but its not address blocking that we require as most users will connect from the same ip address!
Ah, yes. That would make blocking IP addresses somewhat problematic.

Instead of blocking an offending IP, have a script change user's shell.
I would just lock the account.
Code:
     An encrypted password prefixed by `*LOCKED*' means that the account is
     temporarily locked out and no one can log into it using any
     authentication.  For a convenient command-line interface to account
     locking, see pw(8).
Code:
USER LOCKING
     The pw utility supports a simple password locking mechanism for users; it
     works by prepending the string `*LOCKED*' to the beginning of the
     password field in master.passwd to prevent successful authentication.

     The lock and unlock commands take a user name or uid of the account to
     lock or unlock, respectively.  The -V, -C, and -q options as described
     above are accepted by these commands.
 
On Linux, this would be very easy to do using PAM. :) But, it seems the OpenPAM implementation on FreeBSD doesn't include any "keep track of failed logins" feature (aka pam_tally). :(

FreeBSD does have login.conf(5) that includes a feature to disable the login after X failures (login-retries), although the man page doesn't explain what, exactly, that means.

You'd probably need to use something like fail2ban and have it call an external script to lock the account vi pw(1), then unlock the account at a later date.

Or write a PAM module that does that. Or maybe just port pam_tally over from Linux. :) See this man page for what's possible: http://www.linux-pam.org/Linux-PAM-html/sag-pam_tally2.html Or this site for a desciption of its use: https://www.tecmint.com/use-pam_tally2-to-lock-and-unlock-ssh-failed-login-attempts/
 
On Linux, this would be very easy to do using PAM. :)
People who came up with PAM should be sentenced to long jail terms. Following Linux PAM lead is one of the most irritating things on FreeBSD. All sane commercial UNIX-es have better alternatives not to mention ypldap daemon of OpenBSD.
 
Back
Top