+1 to PAM over internal SSH controls. SIMP ties it back to both the local system faillock as well as LDAP controls for full environment lockouts.
Trevor On Fri, Aug 14, 2015 at 3:33 PM, Steve Grubb <[email protected]> wrote: > On Friday, August 14, 2015 01:47:49 PM Ron Colvin wrote: > > A patch for the SSH bug that bypassed the MaxAuthTries limit was just > > patched. Has MaxAuthTries been considered as a control in the security > > guide? > > The default value for this is set to "no". We set UsePam to "yes". Some > platforms do not have PAM and openssh replicates some of that > functionality in > their code. If you want to control the maximum number of login attempts, > you > should use the pam_faillock module. It is an improvement over pam_tally2 in > that it tracks login attempts per user. Pam_tally2 is global. Both are > hooked > into the audit system while openssh's MaxAuthTries is not. > > HTH... > > -Steve > -- > SCAP Security Guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > https://github.com/OpenSCAP/scap-security-guide/ > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 -- This account not approved for unencrypted proprietary information --
-- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
