diff options
| author |  sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-13 13:43:10 +0100 |
|---|---|---|
| committer | sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-13 13:43:10 +0100 |
| commit | 1902cb47830e2c69a3f14d2ad448dbf8d6a31519 (patch) | |
| tree | 67eed914fe307f10dd816a6b3139090f3905aada | |
| parent | 4ed988333dc08090c0ad7612b940429a22e4c3f3 (diff) | |
| download | dotfiles-1902cb47830e2c69a3f14d2ad448dbf8d6a31519.tar.gz dotfiles-1902cb47830e2c69a3f14d2ad448dbf8d6a31519.tar.bz2 dotfiles-1902cb47830e2c69a3f14d2ad448dbf8d6a31519.zip | |
feat(etc): relax faillock (deny=50, unlock_time=30)
Single-user laptop behind FDE with key-only SSH means local brute
force is not a realistic threat. Tight defaults (3 attempts, 10min
lock) mainly punish typos.
| -rw-r--r-- | etc/security/faillock.conf | 64 |
1 files changed, 64 insertions, 0 deletions
diff --git a/etc/security/faillock.conf b/etc/security/faillock.conf new file mode 100644 index 0000000..7da680a --- /dev/null +++ b/etc/security/faillock.conf @@ -0,0 +1,64 @@ +# Configuration for locking the user after multiple failed +# authentication attempts. +# +# The directory where the user files with the failure records are kept. +# The default is /var/run/faillock. +# dir = /var/run/faillock +# +# Will log the user name into the system log if the user is not found. +# Enabled if option is present. +# audit +# +# Don't print informative messages. +# Enabled if option is present. +# silent +# +# Don't log informative messages via syslog. +# Enabled if option is present. +# no_log_info +# +# Only track failed user authentications attempts for local users +# in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users. +# The `faillock` command will also no longer track user failed +# authentication attempts. Enabling this option will prevent a +# double-lockout scenario where a user is locked out locally and +# in the centralized mechanism. +# Enabled if option is present. +# local_users_only +# +# Deny access if the number of consecutive authentication failures +# for this user during the recent interval exceeds n tries. +# The default is 3. +# deny = 3 +deny = 50 +# +# The length of the interval during which the consecutive +# authentication failures must happen for the user account +# lock out is n seconds. +# The default is 900 (15 minutes). +# fail_interval = 900 +# +# The access will be re-enabled after n seconds after the lock out. +# The value 0 has the same meaning as value `never` - the access +# will not be re-enabled without resetting the faillock +# entries by the `faillock` command. +# The default is 600 (10 minutes). +# unlock_time = 600 +unlock_time = 30 +# +# Root account can become locked as well as regular accounts. +# Enabled if option is present. +# even_deny_root +# +# This option implies the `even_deny_root` option. +# Allow access after n seconds to root account after the +# account is locked. In case the option is not specified +# the value is the same as of the `unlock_time` option. +# root_unlock_time = 900 +# +# If a group name is specified with this option, members +# of the group will be handled by this module the same as +# the root account (the options `even_deny_root` and +# `root_unlock_time` will apply to them). +# By default, the option is not set. +# admin_group = <admin_group_name> |