Re: nessus plugin lock out root account

[Jason Haar <Jason.Haar_at_trimble.co.nz>]

Nicolas Pouvesle wrote:

> On Jun 1, 2005, at 4:06 PM, Waheed Qureshi wrote:
>
> > Hi all,
> >
> > This is sort of an emergency. Running a scan against
> > one of our clients with "allbutdangerous" enable
> > causes some of their nix boxes to lock the root
> > account via ssh, telnet and ftp. Nothing is obvious in
> > the "allbutdangerous" file and per my understanding,
> > Nessus does not do active checks while running in the
> > safe mode (without dangerous plugins), so what’s going
> > on?
>
>
>
> Nessus tries to logon with default password.  I suspect the policy is  
> defined to lock account after X bad connections.

Also note that it is considered dangerous to allow administrator 
accounts such as root to have  "lock out" policies applied to it. M$ 
Windows "Administrator" account specifically has the account "lock out" 
policy disabled for this very reason. If they have Windows on this 
network, and claim a legal requirement to have account "lock out" on 
Admin accounts, please ask to explain why this doesn't apply to the 
Windows systems.

The whole point of the "lock out" policy is to try to limit the 
possibility of brute-forcing passwords. If you have a good, long root 
password, *this will never happen*. (please, no-one argue that a 
network-based brute force will ever succeed in a real timeframe against 
a good password. Not only that, but there is no reason you can't still 
ALERT on failed login attempts)

Think of it this way: you have just provided a mechanism by which *any* 
unprivileged network connection on your network can stop you logging in 
as root - not just Nessus...

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1