Thursday, September 10, 2015

Failed login control on RHEL6 with pam_tally2

pam_tally2 module is available in RHEL and CentOS and it can be used to protect your system against bruteforce attacks.

Enabling pam_tally2

Edit /etc/pam.d/password-auth and add this line on top of the auth lines:
auth        required      pam_tally2.so onerr=fail deny=3 unlock_time=900

Then add following line on top of the account lines:
account required pam_tally2.so

Parameters to this module are simple:
onerr=fail
If something weird happens (like unable to open the file), return with PAM_SUCCESS if onerr=succeed is given, else with the corresponding PAM error code. 

deny=3 
Deny access if tally for this user exceeds 3 times.

unlock_time=900 
Allow access after 900 seconds (15 minutes) after failed attempt. If this option is used the user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts. If this option is not set administrator will need to unlock user's account manually.

Check if you have following options set in /etc/ssh/sshd_config:
UsePAM yes
ChallengeResponseAuthentication yes


Testing pam_tally2

login as: pajarito
Using keyboard-interactive authentication.
Password:
Access denied
Using keyboard-interactive authentication.
Password:
Access denied
Using keyboard-interactive authentication.
Password:
Access denied
Using keyboard-interactive authentication.
Account locked due to 3 failed logins
Password:


As you can see after third attempt user's account was locked.


Verifying and unlocking users

To check current pam_tally2 statistics run pam_tally2 command:
# pam_tally2
Login           Failures Latest failure     From
jsmith              3    09/09/15 15:17:21  evil.attacker.com

To unlock a user use the "-r" flag:
# pam_tally2 -u pajarito -r
Login           Failures Latest failure     From
jsmith              3    09/09/15 15:20:49  evil.attacker.com

Finally if the output of pam_tally2 is empty it means that no account has been locked.

Monday, September 7, 2015

Automated partition creation with fdisk and sfdisk

To perform automated partition creation or modification you can pass all the commands via echo directly to fdisk:

echo -e "o\nn\np\n1\n\n\nw" | fdisk /dev/sdc

The commands are:
o - create a new empty DOS partition table
n - add a new partition
p - create primary partition
(enter) - set first cylinder to the default value (1)
(enter) - set the last cylinder to the default value (end of the drive)
w - write table to disk and exit




Quick way to clone partition table from one drive to another


You can use sfdisk to save the partition table from the already prepared drive and copy it to another.

As you can see below "-d" option will create a text file which can be easily altered if needed.

[root@centos ~]# sfdisk -d /dev/sdb > file
 

[root@centos ~]# cat file
# partition table of /dev/sdb
unit: sectors

/dev/sdb1 : start=       63, size=  1044162, Id=83
/dev/sdb2 : start=        0, size=        0, Id= 0
/dev/sdb3 : start=        0, size=        0, Id= 0
/dev/sdb4 : start=        0, size=        0, Id= 0
 

[root@centos ~]# sfdisk /dev/sdc < file
# sfdisk /dev/sdc < file
Checking that no-one is using this disk right now ...
OK

Disk /dev/sdc: 65 cylinders, 255 heads, 63 sectors/track
 /dev/sdc: unrecognized partition table type
Old situation:
No partitions found
New situation:
Units = sectors of 512 bytes, counting from 0

   Device Boot    Start       End   #sectors  Id  System
/dev/sdc1            63   1044224    1044162  83  Linux
/dev/sdc2             0         -          0   0  Empty
/dev/sdc3             0         -          0   0  Empty
/dev/sdc4             0         -          0   0  Empty
Warning: no primary partition is marked bootable (active)
This does not matter for LILO, but the DOS MBR will not boot this disk.
Successfully wrote the new partition table

Re-reading the partition table ...

If you created or changed a DOS partition, /dev/foo7, say, then use dd(1)
to zero the first 512 bytes:  dd if=/dev/zero of=/dev/foo7 bs=512 count=1
(See fdisk(8).)

Friday, September 4, 2015

Simple process monitoring script with email alerting

If you don't have or don't want to install additional software for system/application monitoring (like Nagios, Zabbix, Munin, Big Brother, etc.) you may use this simple script:


#!/bin/bash

MAIL="your@email.address"
PROGRAM="httpd"
HOST=$(uname -n)
DATE=$(date)
TMPFILE=/var/tmp/monitor-$(PROGRAM).lock

OUTPUT=$(ps -ef | grep -c "$PROGRAM")
if [ $OUTPUT -eq 1 ]; then

  if [ -f $TMPFILE ]; then
    echo "Lock file exists"
  else
    echo "$DATE $HOST program \"$PROGRAM\" is not running" | mailx -s "\"$PROGRAM\" is not running on $HOST" $MAIL
    touch $TMPFILE

  fi
fi


In PROGRAM variable put the name of the process that you expect to be running, make sure that the monitoring script name will not contain the same string.
Basically, if the program is running "ps -ef | grep program" will return 2 or more rows (one with the program itself and the second one with "grep program").
Otherwise it will only return one row ("grep program") which will trigger the alert and you will get an email.
By creating TMPFILE script will avoid bothering you again and again about the same issue.
Make sure to remove that file after you restart monitored process.

Once the script is ready save it and add to cron, i.e.:
$ crontab -e
* * * * * /path/to/the/script > /dev/null 2>&1