After chatting with Carlos and Mick about VMWare & ESX account lockout policies (or lack thereof) during the pre show last night, I thought I would start an email string here. Carlos had mentioned something last night about integration with AD policies. A while back someone had popped this into the IRC channel (Carlos I think it was you actually).
http://blog.securitywhole.com/2009/09/01/brute-force-esx-usernamepassword.aspx So some sysadmins here came up with the following for the ESX console (warning have not tested yet). ------------------ To configure the ESX service console to disable the account after three unsuccessful login attempts, add the following lines to /etc/pam.d/system-auth: auth required /lib/security/pam_tally.so no_magic_root account required /lib/security/pam_tally.so deny=3 no_magic_root To create the file for logging failed login attempts, execute the following commands: touch /var/log/faillog chown root:root /var/log/faillog chmod 600 /var/log/faillog ------------------- Of course a major disadvantage here would be DDOS by locking our any built in accounts so a more robust solution would be desired. Thoughts? Might make an interesting blog post ;) Thanks Tim
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
