# How to automatically lock user accounts after x failed login attempts



## dazm_2000 (May 18, 2017)

Hi there ,

Could someone point me in the right direction for  howto automatically lock user accounts on FreeBSD 11.0-RELEASE-pX after a number of failed login attempts and optionally to automatically unlock the account again after a specified time?.

Many thanks daz


----------



## SirDice (May 18, 2017)

The easiest way is to use security/sshguard. This doesn't actually touch the accounts themselves but does severely hinder those brute-force attacks. Alternatively on 11.0 and higher you can use blacklistd(8). Although I'm still trying to figure out how to actually use it, documentation is rather scarce.


----------



## dazm_2000 (May 18, 2017)

Hi SirDice, Thanks for the info but its not address blocking that we require as most users will connect from the same ip address!


----------



## pboehmer (May 18, 2017)

Second this.  We had been using security/pam_abl, which was removed from the ports tree some time ago.  I'm wondering how trivial it would be to have security/py-fail2ban disable users.  Instead of blocking an offending IP, have a script change user's shell.


----------



## SirDice (May 18, 2017)

dazm_2000 said:


> Thanks for the info but its not address blocking that we require as most users will connect from the same ip address!


Ah, yes. That would make blocking IP addresses somewhat problematic. 



pboehmer said:


> Instead of blocking an offending IP, have a script change user's shell.


I would just lock the account. 

```
An encrypted password prefixed by `*LOCKED*' means that the account is
     temporarily locked out and no one can log into it using any
     authentication.  For a convenient command-line interface to account
     locking, see pw(8).
```


```
USER LOCKING
     The pw utility supports a simple password locking mechanism for users; it
     works by prepending the string `*LOCKED*' to the beginning of the
     password field in master.passwd to prevent successful authentication.

     The lock and unlock commands take a user name or uid of the account to
     lock or unlock, respectively.  The -V, -C, and -q options as described
     above are accepted by these commands.
```


----------



## dazm_2000 (May 18, 2017)

Not exactly the simple answer I was looking for


----------



## phoenix (May 18, 2017)

On Linux, this would be very easy to do using PAM.    But, it seems the OpenPAM implementation on FreeBSD doesn't include any "keep track of failed logins" feature (aka pam_tally).  

FreeBSD does have login.conf(5) that includes a feature to disable the login after X failures (*login-retries*), although the man page doesn't explain what, exactly, that means.

You'd probably need to use something like fail2ban and have it call an external script to lock the account vi pw(1), then unlock the account at a later date.

Or write a PAM module that does that.  Or maybe just port pam_tally over from Linux.    See this man page for what's possible:  http://www.linux-pam.org/Linux-PAM-html/sag-pam_tally2.html  Or this site for a desciption of its use:  https://www.tecmint.com/use-pam_tally2-to-lock-and-unlock-ssh-failed-login-attempts/


----------



## Oko (May 18, 2017)

phoenix said:


> On Linux, this would be very easy to do using PAM.


People who came up with PAM should be sentenced to long jail terms. Following Linux PAM lead is one of the most irritating things on FreeBSD. All sane commercial UNIX-es have better alternatives not to mention ypldap daemon of OpenBSD.


----------



## Datapanic (May 18, 2017)

You could use LDAP and Password Policy


----------

