Setting up login controls
You can set up login controls in the /etc/security/login.cfg file.
To make it harder to attack a system with password guessing, set up login controls in the /etc/security/login.cfg file as follows:
| Attribute | Applies to PtYs (Network) | Applies to TTYs | Recommended Value | Comments |
|---|---|---|---|---|
| sak_enabled | Y | Y | false | The Secure Attention key is rarely needed. See Using the Secure Attention Key. |
| logintimes | N | Y | Specify allowed login times here. | |
| logindisable | N | Y | 4 | Disable login on this terminal after 4 consecutive failed attempts. |
| logininterval | N | Y | 60 | Terminal will be disabled when the specified invalid attempts have been made within 60 seconds. |
| loginreenable | N | Y | 30 | Re-enable the terminal after it was automatically disabled after 30 minutes. |
| logindelay | Y | Y | 5 | The time in seconds between login prompts. This will be multiplied with the number of failed attempts; for example, 5,10,15,20 seconds when 5 is the initial value. |
These port restrictions work mostly on attached serial terminals,
not on pseudo-terminals used by network logins. You can specify explicit terminals
in this file, for example:
/dev/tty0:
logintimes = 0600-2200
logindisable = 5
logininterval = 80
loginreenable = 20