Page MenuHomeVyOS Platform

Configure unsuccessful logon attempts
Open, NormalPublicFEATURE REQUEST

Description

Add the ability to detect when a defined number of unsuccessful authentication attempts occurs and take some corrective action.
There is at least one user account that cannot be disabled.
FIA_AFL.1
We can use pam_faillock for it
https://manpages.debian.org/bullseye/libpam-modules/pam_faillock.8.en.html
https://manpages.debian.org/bullseye/libpam-modules/faillock.conf.5.en.html

Details

Difficulty level
Unknown (require assessment)
Version
1.4
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Related Objects

StatusSubtypeAssignedTask
In progressFEATURE REQUESTViacheslav
OpenFEATURE REQUESTNone

Event Timeline

Viacheslav changed Version from - to 1.4.

Tested with next configuration:

vyos@r14:~$ sudo cat /etc/pam.d/common-auth 
auth  required      pam_env.so
auth  required      pam_faillock.so preauth silent audit deny=3 unlock_time=300
auth  sufficient    pam_unix.so  nullok  try_first_pass
auth  [default=die] pam_faillock.so  authfail  audit  deny=3  unlock_time=300
auth  requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth  required      pam_deny.so
vyos@r14:~$
vyos@r14:~$ sudo faillock --user foo
foo:
When                Type  Source                                           Valid
2022-10-18 12:11:34 RHOST 192.168.122.1                                        V
2022-10-18 12:11:36 RHOST 192.168.122.1                                        V
2022-10-18 12:11:38 RHOST 192.168.122.1                                        V
vyos@r14:~$