For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Peter_Z's avatar
Peter_Z
Icon for Cirrus rankCirrus
Jun 03, 2010

How to set maximum failed logon attempts

Hello,

 

 

I didn't find a way how to modify default value for maximum failed logon attempts. I guess modifying config file is not the right way since v9.4.x.

 

 

Can you help how could I accomplish this?

 

management
monitoring

2 Replies

  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    Jun 04, 2010
    I'm not even sure that you can set that option.

     

     

    If you can I'd guess that it depends on the Authentication settings configured on the LTM, and if those sources (TACACS, LDAP, etc.) would recognize a failed login attempt on the LTM as a qualifier of an account lockout.

     

     

    To my knowledge you can't set that option on the LTM itself.
  • Peter_Z's avatar
    Peter_Z
    Icon for Cirrus rankCirrus
    Jun 07, 2010
    We're using local authentication (no LDAP, TACACS...). The config is stored in local/system-auth (symbolic link exists: /etc/pam.d/system-auth) and looks like this:

     

     

    password required /lib/security/$ISA/pam_cracklib.so retry=3 type=BIG-IP minlen=7 dcredit=-1 ucredit=-0 lcredit=-1 ocredit=-0

     

    password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=8 min_days=1 max_days=60 warn_age=7

     

     

    The highlighted values were changed from the GUI and saved by the system to this file (default values were different). I guess the retry option sets the failed logon attempts, but I did not figure out how to change it from GUI or via bigpipe command.