We are getting dinged on a federal audit because OpenVPN does not appear to support invalid login restrictions (i.e., only 3 before the account is locked).
Has anyone else experienced this? We are leveraging local Linux accounts via PAM for the VPN and while our PAM settings lock an account after 3 bad auth attempts (and this is functioning if you attempt bad SSH logins), OpenVPN doesn't appear to communicate these to the PAM module which counts them. As such bad auth attempts via the OpenVPN client do not result in the user's Linux account being locked.
Has anyone experienced or remediated this in the past? I have not been able to find any information on this via searching.
