Forum Discussion
Peter_Z
Cirrus
CirrusHow to set maximum failed logon attempts
Hello,
I didn't find a way how to modify default value for maximum failed logon attempts. I guess modifying config file is not the right way since v9.4.x.
Can you help how could I accomplish this?
Michael_YatesNimbostratus
I'm not even sure that you can set that option.
If you can I'd guess that it depends on the Authentication settings configured on the LTM, and if those sources (TACACS, LDAP, etc.) would recognize a failed login attempt on the LTM as a qualifier of an account lockout.
To my knowledge you can't set that option on the LTM itself.
Peter_ZWe're using local authentication (no LDAP, TACACS...). The config is stored in local/system-auth (symbolic link exists: /etc/pam.d/system-auth) and looks like this:
password required /lib/security/$ISA/pam_cracklib.so retry=3 type=BIG-IP minlen=7 dcredit=-1 ucredit=-0 lcredit=-1 ocredit=-0
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=8 min_days=1 max_days=60 warn_age=7
The highlighted values were changed from the GUI and saved by the system to this file (default values were different). I guess the retry option sets the failed logon attempts, but I did not figure out how to change it from GUI or via bigpipe command.