I manage a small FreeIPA domain that has one server that can be accessed through ssh from the internet. I occasionally find that the admin account is locked, when I try to log in to the FreeIPA admin interface (not available from the Internet), and it seems that this is due to an endless stream of incoming ssh authentication attempts for common names like "root" and "admin", and in the latter case, the authentication is forwarded to the FreeIPA server (since the user exists in the directory, I suppose), and the account gets locked out temporarily now and then due to too many failed attempts. Now, admin is not actually supposed to be able to login through ssh (or as a POSIX account in general), so I have tried to add: DenyUsers admin to sshd_config on that server to filter out these attempts, but it seems (as far as I can see in the logs) that the authentication is still tried against the FreeIPA server, before it gets blocked by sshd. What is the best way to prevent the evil bots of the Internet from locking out my admin account?
Hi Peter,
What is the best way to prevent the evil bots of the Internet from locking out my admin account?
One simple solution would be to grant another user admin privileges instead of using the built-in "admin" account.
Regards,
j
Jason B. Nance via FreeIPA-users wrote:
Hi Peter,
What is the best way to prevent the evil bots of the Internet from locking out my admin account?
One simple solution would be to grant another user admin privileges instead of using the built-in "admin" account.
Yes, any member of the admins group would have the same access.
You can alternatively create a group password policy for the admins group and set maxfail to 0 to disable account lockout.
rob
Configure SSSD on that client with
[nss] filter_users = root, admin
Verzonden vanaf mijn Samsung-apparaat
-------- Oorspronkelijk bericht -------- Van: peter--- via FreeIPA-users freeipa-users@lists.fedorahosted.org Datum: 19-06-17 16:09 (GMT+01:00) Aan: freeipa-users@lists.fedorahosted.org Cc: peter@husen.dk Onderwerp: [Freeipa-users] admin account locked due to external ssh authentication attempts
I manage a small FreeIPA domain that has one server that can be accessed through ssh from the internet. I occasionally find that the admin account is locked, when I try to log in to the FreeIPA admin interface (not available from the Internet), and it seems that this is due to an endless stream of incoming ssh authentication attempts for common names like "root" and "admin", and in the latter case, the authentication is forwarded to the FreeIPA server (since the user exists in the directory, I suppose), and the account gets locked out temporarily now and then due to too many failed attempts. Now, admin is not actually supposed to be able to login through ssh (or as a POSIX account in general), so I have tried to add: DenyUsers admin to sshd_config on that server to filter out these attempts, but it seems (as far as I can see in the logs) that the authentication is still tried against the FreeIPA server, before it gets blocked by sshd. What is the best way to prevent the evil bots of the Internet from locking out my admin account? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Thanks, this did exactly what I wanted.
Regards, Peter
freeipa-users@lists.fedorahosted.org