| VID |
14103 |
| Severity |
40 |
| Port |
22 |
| Protocol |
TCP |
| Class |
LSC |
| Detailed Description |
When a brute force attack or a password guessing attack occurs, by restricting the number of failed passwords appropriately, you can prevent automatic attacks and delay attack time. thereby the risk of password leakage can be reduced.
* Affected platforms:
UNIX, Linux |
| Recommendation |
Follow the steps below to set the account lockout.
*Solaris
1. Open "/etc/default/login"
2. Edit or insert as follows
(Before) #RETRIES=2
DISABELTIME=180
LOCK_AFTER_RETRIES=NO
(After) RETRIES=5
DISABELTIME=1800
LOCK_AFTER_RETRIES=YES
*Linux
1. Open "/etc/pam.d/system-auth"
2. Edit or insert as follows
auth required /lib/security/pam_tally.so deny=4 unlock_time=1800 no_magic_root reset
account required /lib/security/pam_tally.so no_magic_root reset
*AIX
1. Open "/etc/security/user"
2. Edit or insert as follows
(Before) loginretries = 0
(After) loginretries = 5
*HP
Trusted Mode
1. Open "/tcb/files/auth/system/default"
2. Edit or insert as follows
(Before) u_maxtries#
(After) u_maxtries#5
Normal Mode
1. Open "/etc/default/security"
2. Edit or insert as follows
(Before) AUTH_MAXTRIES=0
(After) AUTH_MAXTRIES=5 |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
