User account lockout after failed sign-in attempts

6.6. User account lockout after failed sign-in attempts#

By default, there is no limit on failed password attempts. To prevent brute force attacks, you can configure an automatic lockout for user accounts after a set number of failed sign-in attempts.

Nubus for UCS supports multiple authentication methods. Each method has its own way to configure and count failed sign-in attempts.

6.6.1. Configure lockout for Samba and Active Directory#

Samba provides services in Active Directory environments, such as Kerberos. To lock out users after too many failed sign-in attempts, use samba-tool.

  1. Show the currently configured values:

    Listing 6.7 Show Samba password lockout settings#
    $ samba-tool domain passwordsettings show

  2. Set the number of failed sign-in attempts before locking the account:

    Listing 6.8 Set the sign-in attempt limit before lockout#
    $ samba-tool domain passwordsettings set --account-lockout-threshold=5

  3. Set the number of minutes that the account locks after a user enters too many incorrect passwords:

    Listing 6.9 Set the account lockout duration in minutes#
    $ samba-tool domain passwordsettings set --account-lockout-duration=3

  4. Set the number of minutes after which the counter resets:

    Listing 6.10 Set the lockout counter reset interval in minutes#
    $ samba-tool domain passwordsettings set --reset-account-lockout-after=5

To unlock a locked account, see Unlock a locked user account.

Important

After the lockout duration expires, Nubus for UCS unlocks the account but doesn’t reset the counter immediately. Until the counter resets, a single failed sign-in attempt locks the account again.

6.6.2. Configure lockout for the PAM stack#

To automatically lock users in the PAM stack after failed sign-in attempts, set the UCR variable auth/faillog to yes. Set the limit of failed sign-in attempts that triggers a lockout in auth/faillog/limit. The counter resets each time the user enters the password correctly.

By default, the lockout is per system. A user locked out on one system can still sign in on another. Set auth/faillog/lock_global to yes to apply the lockout globally and register it in the LDAP directory. You can set the global lock only on Primary Directory Node or Backup Directory Node systems, because other system roles lack write permissions in the LDAP directory. On these systems, the listener module automatically activates or deactivates the local lockout depending on the lock state in the LDAP directory.

By default, the lockout has no time limit, and you must reset the lockout manually. However, Nubus for UCS can also reset the lockout automatically after a configured period. Specify the period in seconds in auth/faillog/unlock_time. If the value is 0, Nubus for UCS resets the lockout counter immediately.

By default, the root user is exempt from the lockout. You can apply the lockout to root by setting auth/faillog/root to yes.

If the lockout applies only locally, you can unlock a user account by running the command in Listing 6.11.

Listing 6.11 Reset a locally locked user account#
$ faillock --reset --user USERNAME

If Nubus for UCS locks the account globally in the LDAP directory, see Unlock a locked user account.

6.6.3. Configure lockout for OpenLDAP#

This feature is available on Primary Directory Node and Backup Directory Node systems. To enable it, set ldap/ppolicy/enabled to yes and restart the OpenLDAP server, as shown in Listing 6.12.

Listing 6.12 Enable OpenLDAP password policy and restart the server#
$ ucr set ldap/ppolicy/enabled=yes
$ systemctl restart slapd

By default, five failed LDAP sign-in attempts within five minutes trigger the lockout. To unlock a locked account, see Unlock a locked user account.

In the configuration object with the objectClass pwdPolicy, you can adjust the number of failed LDAP sign-in attempts that trigger a lockout.

The pwdPolicy object has these attributes:

pwdMaxFailure

The number of failed LDAP sign-in attempts before the account locks.

pwdMaxFailureCountInterval

The time interval in seconds during which Nubus for UCS counts failed sign-in attempts. Nubus for UCS ignores failed sign-in attempts outside this time interval.

To list the current values, run the following command:

Listing 6.13 List the pwdPolicy configuration object#
$ univention-ldapsearch objectclass=pwdPolicy

To set pwdMaxFailure to 10, run the following command:

Listing 6.14 Set the maximum sign-in failure count to 10#
$ LB="$(ucr get ldap/base)"
$ ldapmodify -x -D "cn=admin,$LB" -y /etc/ldap.secret <<__EOT__
dn: cn=default,cn=ppolicy,cn=univention,$LB
changetype: modify
replace: pwdMaxFailure
pwdMaxFailure: 10
__EOT__

6.6.4. Unlock a locked user account#

The unlock method depends on which lockout mechanism locked the account.

If Samba or OpenLDAP locked the account:

  1. Open the Users management module.

  2. Open the Account tab.

  3. Select Unlock account.

  4. Save the changes.

If the PAM stack locked the account globally, Nubus for UCS also deactivates the user account:

  1. Open the Users management module.

  2. Open the Account tab.

  3. Clear the Account is deactivated checkbox.

  4. Save the changes.

On this page