11.6. Setting Account Lockout Policies

A brute force attack occurs when a malefactor attempts to guess a password by simply slamming the server with multiple login attempts. An account lockout policy prevents brute force attacks by blocking an account from logging into the system after a certain number of login failures — even if the correct password is subsequently entered.

There are three parts to the account lockout policy:

The number of failed login attempts before the account is locked (--maxfail).
How long an account is locked after the max number of failures is reached (--lockouttime). This is in seconds.
The time after a failed login attempt before the counter resets (--failinterval). Since mistakes do happen honestly, the count of failed attempts is not kept forever; it naturally lapses after a certain amount of time. This is in seconds.

These can all be set when a password policy is created with pwpolicy-add or added later using pwpolicy-mod. For example:

$ ipa pwpolicy-mod examplegroup --maxfail=4 --lockouttime=600 --failinterval=30

NOTE

The account lockout policy priority cannot be set or modified in the UI.