Page MenuHomeVyOS Platform
Create Task
Maniphest T4755

Configure unsuccessful logon attempts
Open, NormalPublicFEATURE REQUEST
Actions

Description

Add the ability to detect when a defined number of unsuccessful authentication attempts occurs and take some corrective action.
There is at least one user account that cannot be disabled.
FIA_AFL.1
We can use pam_faillock for it
https://manpages.debian.org/bullseye/libpam-modules/pam_faillock.8.en.html
https://manpages.debian.org/bullseye/libpam-modules/faillock.conf.5.en.html

Details

Version
1.4
Is it a breaking change?
Perfectly compatible
Issue type
Feature (new functionality)

Related Objects
Search...

StatusSubtypeAssignedTask
In progressFEATURE REQUESTNoneT4712 Collaborative Protection Profile cPP for Network Devices root task
OpenFEATURE REQUESTNoneT4755 Configure unsuccessful logon attempts

Event Timeline

Viacheslav created this task.Oct 17 2022, 10:03 AM
Viacheslav updated the task description. (Show Details)Oct 17 2022, 10:30 AM
Viacheslav changed Version from - to 1.4.
Viacheslav added a comment.Oct 18 2022, 9:15 AM

Tested with next configuration:

vyos@r14:~$ sudo cat /etc/pam.d/common-auth 
auth  required      pam_env.so
auth  required      pam_faillock.so preauth silent audit deny=3 unlock_time=300
auth  sufficient    pam_unix.so  nullok  try_first_pass
auth  [default=die] pam_faillock.so  authfail  audit  deny=3  unlock_time=300
auth  requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth  required      pam_deny.so
vyos@r14:~$
vyos@r14:~$ sudo faillock --user foo
foo:
When                Type  Source                                           Valid
2022-10-18 12:11:34 RHOST 192.168.122.1                                        V
2022-10-18 12:11:36 RHOST 192.168.122.1                                        V
2022-10-18 12:11:38 RHOST 192.168.122.1                                        V
vyos@r14:~$
eronlloyd subscribed.Jul 11 2023, 1:38 AM
Viacheslav triaged this task as Normal priority.Jan 20 2024, 11:09 AM
syncer edited projects, added VyOS 1.4 Sagitta (1.4.0-GA); removed VyOS 1.4 Sagitta.May 7 2024, 8:03 AM
dmbaturin added a project: Restricted Project.Sep 16 2024, 4:16 PM
dmbaturin edited projects, added VyOS Rolling; removed Restricted Project, VyOS 1.4 Sagitta (1.4.0-GA).Oct 14 2024, 9:25 AM
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
dmbaturin changed Issue type from Unspecified (please specify) to Feature (new functionality).
syncer moved this task from Need Triage to Backlog - Feature Requests on the VyOS Rolling board.Oct 30 2024, 1:52 PM