Faillock's default setting locked me out of my own account while testing fail2ban

Feedback
1

Testing fail2ban I was suddenly locked out of my account on my own computer. This is a default security thing (faillock) which Manjaro installs without informing installer (that I can recall). I know Manjaro is oriented toward simple client users but still some prominent warning somewhere (or did I miss it during install?) would be a good idea.

2

What did you expect - it is per design :slight_smile:

fail2ban is not provided with a default installation and after installing fail2ban you need to start a service before it takes effect.

So there is no need for prominent warnings :slight_smile:

Manjaro systems locks the user account after some login attempts - three (3) I verified. This data is stored /run - so simply restarting will reset the lock.

See /etc/security/faillock.conf for the details

I am not sure about fail2ban - it is also configurable - but I don’t know the defaults.

See the folder /etc/fail2ban for default configurations

3

You tried to bruteforce your login and the faillock locked you for 15 minutes? Great, it works. Me personally, i would not install an OS that has disabled and is thus susceptible to bruteforce attacks. To deliberately turn this off will mean the devs are pretty incompetent.
So no warning is needed for something that is normal and expected.

3 Likes
4

Yes, faillock is a good idea but it would have been nice to configure it during installation: as in how many attempts before lock / how long until unlock, with the typical “accept defaults” or “custom config” during system installation, don’t you think?

5

That is what reading the docs are for.

And you cannot say you didn’t have the chance - because the service is not enabled by default - you have done so explicitly by yourself.

What more is, fail2ban is not designed for a workstation, it is designed for a server which exposes critical services onto an untrusted insecure network.

So enabling the service on a personal computer, then testing the effect, then you asked for it.

It works - you confirmed it - now disable, if it is on your personal workstation/laptop.

Imagine what happen when someone know your username and try to brute-force your password, exactly the same would happen, and you would look at your system, and be very puzzled why you cannot login in - until it dawn on you.

Why would that be necessary?

  1. it is not available with a default installation
  2. you have to explicitly sync it
  3. you have to explicitly enable and start the service

So, in my opinion, you are barking up the wrong tree here, and I also think you learned something for your next experiment, right :slight_smile:

1 Like
6

@linux-aarhus i think he means the faillock setting (for login and sudo). Not the program fail2ban

Well, there is no way to configure everything in the installer. There are many thousands of settings, nobody would want to click for days to accept the defaults.

4 Likes
7

Fail2ban and faillock have nothing to do together this is different.

Configure properly fail2ban to exclude localhost from getting banned

ignoreip = 127.0.0.1/8 ::1

Fail lock is default in most distribution I think. This is basic security, someone tries to get in your computer trying password, account gets locked for some time.

6 Likes
8

I think that is exactly what is meant, because it says so.

And faillock is reset when you restart the system because the counter is stored in /run/faillock - thus it is reset on reboot.

9

It’s a standard security feature - why wouldn’t you expect it to be default?

Have you checked the man page?

man faillock

# tl;dr

# log into a tty as root
# obviously replace {user} with your username
faillock --user {user} --reset

If you want to change the number of attempts then edit /etc/security/faillock.conf.

# Deny access if the number of consecutive authentication failures
# for this user during the recent interval exceeds n tries.
# The default is 3.
# deny = 3

Not really - would you like hundreds of other things to configure just because other people didn’t want to learn about their OS?

EDIT:

No me either, fail2ban isn’t default but faillock is.

3 Likes
10

Just to clarify - I was testing fail2ban. But faillock is what locked me out of my own computer (as it was configured to do). My only point is this was a surprise to me and I don’t recall setting up faillock or being offered any notice of faillock configuration while I installed Manjaro. Bad on me I guess.

Now I know …

4 Likes