VMware Cloud Community
hishivahere
Contributor
Contributor
‎03-23-2009 07:05 AM

How do I lock out a user after a set number of login attempts in exsserver

How do I lock out a user after a set number of login attempts in exsserver.

Can we do it for root user.

I am able to do it for other users but not to the root user.

I am using the commands

faillog -u username -r 0

faillog -u username -m 3 (set max failures to 3)

when tried to login with wrong pass 3 times

and when tried connecting using putty using that user unable to connect.

But i am unable to do the same using the root user.\

Can anyone help?

Some helpful links

http://osana.blogspot.com/2007/02/how-do-i-lock-out-user-after-set-number.html

http://get-admin.com/blog/?p=328

Regards

Neela

0 Kudos
5 Replies
Cameron2007
Hot Shot
Hot Shot
‎03-23-2009 08:46 AM

There are some details on how to lock out users on this post.

http://communities.vmware.com/message/1031352

0 Kudos
bugeyemonster
Enthusiast
Enthusiast
‎03-23-2009 11:33 AM

The root user should not be able to log on via ssh anyway. As far as I know locking out the root user is not possible, but it is possible to keep root from authenticating remotely.

0 Kudos
hishivahere
Contributor
Contributor
‎03-23-2009 10:03 PM

We have an application which connects to esxserver by getting the credentials from some persistent storage.

But if some one changes the password for the esxserver and do not update the persistent storage, then the application keeps trying to connect with wrong passwords,

I just want to know if any policies get set in the esxserver in the field to lock out after a set number of login failures happen so that i can handle it accordingly in my application.

Regards

Neela

0 Kudos
Cameron2007
Hot Shot
Hot Shot
‎03-24-2009 04:32 AM

Powerpassword is a product that you might want to check out for this

http://www.symark.com/products/ppoverview.html

0 Kudos
Texiwill
Leadership
Leadership
‎03-24-2009 05:02 PM

Hello,

You do not want a 3rd party application directly accessing Root. Nor do you ever want to lock out 'root'. If you lock out root you can cause havoc with the system, first you will not be able to login to change the password. So the only way is to literally reboot the system and enter single user mode if you have not secured that. So basically this is NOT suggested.

It is better to have your program use an non-root account, then you can implement pam_tally.... Also, your program COULD detect login failures itself instead of counting on ESX to do it for you.


Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos