Обсуждение: User to get locked after three wrong login attempts.

Praneel Devisetty <devisettypraneel@gmail.com> writes:
> We have a requirement , where we require a user to get locked after three
> wrong login attempts.

The usual recommendation is to configure Postgres to use PAM
authentication; then you can set up any weird requirements like
this one in the PAM configuration.

            regards, tom lane

Greetings,

* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> Praneel Devisetty <devisettypraneel@gmail.com> writes:
> > We have a requirement , where we require a user to get locked after three
> > wrong login attempts.
>
> The usual recommendation is to configure Postgres to use PAM
> authentication; then you can set up any weird requirements like
> this one in the PAM configuration.

Unfortunately, it's a pain to set up PAM and there's a lot of things in
the PAM stack which can't be used because PostgreSQL doesn't run as
root.  We should really have a better solution to this pretty commonly
asked for capability; I'm hoping to find time soon to hack on that.

Thanks!

Stephen

Stephen Frost <sfrost@snowman.net> writes:

> Greetings,
>
> * Tom Lane (tgl@sss.pgh.pa.us) wrote:
>> Praneel Devisetty <devisettypraneel@gmail.com> writes:
>> > We have a requirement , where we require a user to get locked after three
>> > wrong login attempts.
>> 
>> The usual recommendation is to configure Postgres to use PAM
>> authentication; then you can set up any weird requirements like
>> this one in the PAM configuration.
>
> Unfortunately, it's a pain to set up PAM and there's a lot of things in
> the PAM stack which can't be used because PostgreSQL doesn't run as
> root.  We should really have a better solution to this pretty commonly
> asked for capability; I'm hoping to find time soon to hack on that.
>
> Thanks!
>
> Stephen

These days, I think the better solution is to have this functionality in
a central system. Putting aside that it is an 'outdated' auditor
requirement, what the auditor really wants to see is that access to ALL
systems is locked after 3 failed authentication attempts (for a period
e.g. 5 minutes). Having a centralised system also has the benefit of
'same login', so your users have the same username and password across
all services in the organisation and 1 central and consistent place for
password management.

I would suggest looking at what can be achieved with oepnLDAP and/or
Active Directory/Kerberos.

Note that the tricky part with this approach in the era of multiple
devices is getting the parameters tweaked correctly. It is not as easy
as just saying 'after 3 failed logins, lock the account'. You need to
consider what happens when someone changes their password and has
multiple devices logged into different services (e.g. mail). As soon as
the password has changed, some of these devices will begin to fail and
this will happen before the user can open each device and change the
password. If the policy is to restrictive, by the time they do this,
their account is locked and they cannot change the password - now they
are caught in a vicious cycle. Most lockout mechanisms have parameters
you can set to avoid this issue.

Tim
-- 
Tim Cross

To elaborate, you should explain to the auditor that this introduces a huge denial-of-service vulnerability into your system. Anyone can start hammering on everyone else's accounts, and with a fairly trivial script, lock the entire company out of all accounts. This is a terrible idea.

Craig James <cjames@emolecules.com> writes:

> On Wed, Sep 5, 2018 at 3:09 PM, Tim Cross <theophilusx@gmail.com> wrote:
>
>>
>> Stephen Frost <sfrost@snowman.net> writes:
>>
>> > Greetings,
>> >
>> > * Tom Lane (tgl@sss.pgh.pa.us) wrote:
>> >> Praneel Devisetty <devisettypraneel@gmail.com> writes:
>> >> > We have a requirement , where we require a user to get locked after
>> three
>> >> > wrong login attempts.
>> >>
>> >> The usual recommendation is to configure Postgres to use PAM
>> >> authentication; then you can set up any weird requirements like
>> >> this one in the PAM configuration.
>> >
>> > Unfortunately, it's a pain to set up PAM and there's a lot of things in
>> > the PAM stack which can't be used because PostgreSQL doesn't run as
>> > root.  We should really have a better solution to this pretty commonly
>> > asked for capability; I'm hoping to find time soon to hack on that.
>> >
>> > Thanks!
>> >
>> > Stephen
>>
>> These days, I think the better solution is to have this functionality in
>> a central system. Putting aside that it is an 'outdated' auditor
>> requirement ...
>
>
> To elaborate, you should explain to the auditor that this introduces a huge
> denial-of-service vulnerability into your system. Anyone can start
> hammering on everyone else's accounts, and with a fairly trivial script,
> lock the entire company out of all accounts. This is a terrible idea.
>

Unfortunately, that is a reflection of the poor standard of most
auditors. They are rarely technical people and just follow a rule
book. Most of their rules are outdated and many are wrong. For example,
many still require 'complex' passwords consisting of mixed case,
punctuation/special characters etc. This is despite the fact the person
who originally proposed such a scheme has actually come out and
apologised and said he had it wrong (plus this 'standard' was removed
from NIST standards over 2 years ago) and ignores the changes in
technologies which has changed the threat (i.e. rainbow tables etc now
mean length is far more important than complexity).  

The 'trick' with auditors is to only answer what they ask and answer in
such a way that what you say is true, but perhaps open to favourable
interpretation. e.g.

Auditor: do your accounts get locked after X failed login attempts
Answer: We use Active directory for our Windows domain, which has the
failed login policy enabled.
Auditor: Ah yes, I know about that - good, I will mark you as
compliant.

rather than

Answer: Well sort of. We have AD for our windows accounts which has the
failed login policy enabled, but some of our systems, like Postgres,
don't use that service.
Auditor: So do you get locked if you try to login to postgres and fail X
times
Answer: No
Auditor: Oh dear, I will have to mark you as non-compliant.



-- 
Tim Cross

On 09/05/2018 05:28 PM, Tim Cross wrote:
[snip]
> Unfortunately, that is a reflection of the poor standard of most
> auditors. They are rarely technical people and just follow a rule
> book. Most of their rules are outdated and many are wrong. For example,
> many still require 'complex' passwords consisting of mixed case,
> punctuation/special characters etc. This is despite the fact the person
> who originally proposed such a scheme has actually come out and
> apologised and said he had it wrong (plus this 'standard' was removed
> from NIST standards over 2 years ago) and ignores the changes in
> technologies which has changed the threat (i.e. rainbow tables etc now
> mean length is far more important than complexity).
>
> The 'trick' with auditors is to only answer what they ask and answer in
> such a way that what you say is true, but perhaps open to favourable
> interpretation. e.g.
>
> Auditor: do your accounts get locked after X failed login attempts
> Answer: We use Active directory for our Windows domain, which has the
> failed login policy enabled.
> Auditor: Ah yes, I know about that - good, I will mark you as
> compliant.
>
> rather than
>
> Answer: Well sort of. We have AD for our windows accounts which has the
> failed login policy enabled, but some of our systems, like Postgres,
> don't use that service.
> Auditor: So do you get locked if you try to login to postgres and fail X
> times
> Answer: No
> Auditor: Oh dear, I will have to mark you as non-compliant.

Sadly, our auditors are a bit cleverer.  "Send us a screenshot showing that 
Server X gets locked out after three failed tries." Naturally, Server X runs 
Postgres.

-- 
Angular momentum makes the world go 'round.

On 06/09/2018 01:28, Tim Cross wrote:
> Craig James <cjames@emolecules.com> writes:
>
>> On Wed, Sep 5, 2018 at 3:09 PM, Tim Cross <theophilusx@gmail.com> wrote:
>>
>>> Stephen Frost <sfrost@snowman.net> writes:
>>>
>>>> Greetings,
>>>>
>>>> * Tom Lane (tgl@sss.pgh.pa.us) wrote:
>>>>> Praneel Devisetty <devisettypraneel@gmail.com> writes:
>>>>>> We have a requirement , where we require a user to get locked after
>>> three
>>>>>> wrong login attempts.
>>>>> The usual recommendation is to configure Postgres to use PAM
>>>>> authentication; then you can set up any weird requirements like
>>>>> this one in the PAM configuration.
>>>> Unfortunately, it's a pain to set up PAM and there's a lot of things in
>>>> the PAM stack which can't be used because PostgreSQL doesn't run as
>>>> root.  We should really have a better solution to this pretty commonly
>>>> asked for capability; I'm hoping to find time soon to hack on that.
>>>>
>>>> Thanks!
>>>>
>>>> Stephen
>>> These days, I think the better solution is to have this functionality in
>>> a central system. Putting aside that it is an 'outdated' auditor
>>> requirement ...
>>
>> To elaborate, you should explain to the auditor that this introduces a huge
>> denial-of-service vulnerability into your system. Anyone can start
>> hammering on everyone else's accounts, and with a fairly trivial script,
>> lock the entire company out of all accounts. This is a terrible idea.
 From what I have gathered they try to protect the system from the admins rather than the users.
> Unfortunately, that is a reflection of the poor standard of most
> auditors. They are rarely technical people and just follow a rule
> book. Most of their rules are outdated and many are wrong. For example,
> many still require 'complex' passwords consisting of mixed case,
> punctuation/special characters etc. This is despite the fact the person
> who originally proposed such a scheme has actually come out and
> apologised and said he had it wrong (plus this 'standard' was removed
> from NIST standards over 2 years ago) and ignores the changes in
> technologies which has changed the threat (i.e. rainbow tables etc now
> mean length is far more important than complexity).
>
> The 'trick' with auditors is to only answer what they ask and answer in
> such a way that what you say is true, but perhaps open to favourable
> interpretation. e.g.
>
> Auditor: do your accounts get locked after X failed login attempts
> Answer: We use Active directory for our Windows domain, which has the
> failed login policy enabled.
> Auditor: Ah yes, I know about that - good, I will mark you as
> compliant.
>
> rather than
>
> Answer: Well sort of. We have AD for our windows accounts which has the
> failed login policy enabled, but some of our systems, like Postgres,
> don't use that service.
> Auditor: So do you get locked if you try to login to postgres and fail X
> times
> Answer: No
> Auditor: Oh dear, I will have to mark you as non-compliant.
^^^ exactly.
We have freeipa in place (via ldap in pg_hba.conf) and it does what they (auditors) ask + more.
Things get even more complicated when requirements come from different authorities e.g.
SOX + GDPR, the first asks for logs to be kept at least X years, the second gives the option for a person to delete his
recordsor the records that contain info about him/her older than Y years. As a 
 
result, the company spends considerable resources going around in circles.
>
>
>

-- 
Achilleas Mantzios
IT DEV Lead
IT DEPT
Dynacom Tankers Mgmt