Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

configure login failure handling and login connection timeout policies

0

I wanted Configure the following
in /etc/pam.d/system-auth and /etc/pam.d/password-auth

auth required pam_tally2.so deny=3 even_deny_root unlock_time=600
TMOUT=600
HISTFILESIZE=0 / HISTSIZE=0

On Amazon Ubuntu servers, the files system-auth and password-auth do not exist, as Ubuntu uses a different PAM structure.

Please confirm the correct and supported way to implement these same security controls on Amazon Ubuntu, including:

Enforcing account lockout after three failed login attempts with a 10-minute unlock period

Applying a 600-second idle session timeout

Ensuring shell command history is cleared on logout

Topics
ComputeAWS Well-Architected Framework
Tags
Amazon EC2Amazon LinuxLinux ProvisioningSecurity
Language
English
asked 13 days ago79 views
2 Answers
0

On Ubuntu (including Ubuntu on Amazon EC2), PAM is structured differently from RHEL, so system-auth and password-auth do not exist. The supported equivalents are: (1) Account lockout — use pam_faillock by editing /etc/pam.d/common-auth and /etc/pam.d/common-account. Add to common-auth (before pam_unix.so): auth required pam_faillock.so preauth silent deny=3 unlock_time=600 even_deny_root auth [default=die] pam_faillock.so authfail deny=3 unlock_time=600 even_deny_root and to common-account: account required pam_faillock.so (this enforces 3 failures with a 10-minute unlock). (2) Idle session timeout — set TMOUT=600 system-wide by creating /etc/profile.d/timeout.sh with export TMOUT=600; readonly TMOUT (applies to bash shells). (3) Clear shell history on logout — in /etc/profile.d/history.sh set export HISTSIZE=0 HISTFILESIZE=0 and optionally add unset HISTFILE or history -c in /etc/bash.bash_logout. These methods are standard, supported on Ubuntu, and achieve the same controls you listed without using RHEL-specific PAM files.

answered 13 days ago
0

Hello. You may already be aware, but Amazon Linux is based on the Red Hat family, while Ubuntu provided by AWS belongs to the Debian/Ubuntu family, so the configuration methods are naturally quite different. In addition, security modules continue to evolve as OS versions are upgraded, which means these settings require ongoing review and validation.

As you mentioned, while the goal may be similar to configurations used on Amazon Linux, the equivalent approach on Ubuntu differs in terms of structure and supported mechanisms. Below is the Ubuntu-based configuration approach that aligns with your requirements.

Please note that the latest Ubuntu version currently provided by AWS is Ubuntu 24.04 LTS (Long Term Support). If you are running an older Ubuntu version, the configuration details and supported modules may differ, so it is important to verify the OS version before applying these settings.

  1. Login attempt limit (3 failed attempts, 10-minute lockout)" sudo vi /etc/pam.d/common-auth // Add the following lines before pam_unix.so

auth required pam_faillock.so preauth silent deny=3 unlock_time=600 even_deny_root

auth [default=die] pam_faillock.so authfail deny=3 unlock_time=600 even_deny_root

auth sufficient pam_faillock.so authsucc deny=3 unlock_time=600 even_deny_root

  1. 600-second idle session timeout sudo vi /etc/profile.d/timeout.sh

TMOUT=600

readonly TMOUT

export TMOUT

  1. Disable saving command history after logout sudo vi /etc/profile.d/no-history.sh

export HISTSIZE=0

export HISTFILESIZE=0

unset HISTFILE

answered 13 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content