protect Linux user accounts against brute force attacks

There are bad passwords, ok passwords, good passwords, strong passwords, very strong passwords.

With only 100 attempts for bruteforcing (soon less), we don’t need strong passwords. Not 20 characters alphanumeric with special characters.
example: “JX%q'\S+e1'D>Y,L4<uW” [1]

We might get away even with almost trivial passwords. This is fantastic for usability. Very, very few users realistically typing a password such a complicated password as [1].

I wouldn’t be surprised if most users keep the password changeme.
But we could do better on usability as for guiding the user to change the password form changeme to something else, warning if the password is still the default changeme and auto starting a GUI to ask for password change.

2 Likes
2 Likes
1 Like

Please review:

2 Likes

Looks good to me.

I experienced an issue with Whonix / Kicksecure pam_tally2 integration where failed (probably automated bot password cracking attempts) over POP3 (dovecot) lead to a user account getting locked.

For local user account login it is desirable to support short, unrackable passwords through limiting maximum password entries to a reasonable number (50 at time of writing). However, for e-mail login it cannot password cracking attempts cannot be effectively prevented. The only way to secure these is using the usually super long super complex passwords. Using keyfiles for POP3 login / SMPT is unfortunately very uncommon.

Failed POP3 (dovecot) logins should not result in linux user accounts getting locked.

I would advice to use different linux user accounts for server login and e-mail login. For example, user user for login and user mail for incoming mail.

Therefore I invented a script /usr/lib/security-misc/pam_tally2_not_if_x which in essence results in skipping checking pam_tally2 counter for a (currently hardcoded) list of exceptions.

Related files:

https://github.com/Whonix/security-misc/blob/master/usr/share/pam-configs/tally2-security-misc

https://github.com/Whonix/security-misc/blob/master/usr/lib/security-misc/pam_tally2_not_if_x

This results in file /etc/pam.d/common-auth to be injected with:

auth    [success=1 default=ignore]      pam_exec.so seteuid quiet /usr/lib/security-misc/pam_tally2_not_if_x
auth    requisite       pam_tally2.so even_deny_root deny=50 onerr=fail audit debug

Causes confusing error message:

pam_exec(sudo:auth): /usr/lib/security-misc/pam_tally2_not_if_x failed: exit code 1

Reported upstream:

1 Like
1 Like