Enabling pam_tally2
Edit /etc/pam.d/password-auth and add this line on top of the auth lines:auth required pam_tally2.so onerr=fail deny=3 unlock_time=900
Then add following line on top of the account lines:
account required pam_tally2.so
Parameters to this module are simple:
onerr=fail
If something weird happens (like unable to open the file), return with PAM_SUCCESS if onerr=succeed is given, else with the corresponding PAM error code.
deny=3
Deny access if tally for this user exceeds 3 times.
unlock_time=900
Allow access after 900 seconds (15 minutes) after failed attempt. If this option is used the user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts. If this option is not set administrator will need to unlock user's account manually.
Check if you have following options set in /etc/ssh/sshd_config:
UsePAM yes
ChallengeResponseAuthentication yes
Testing pam_tally2
login as: pajaritoUsing keyboard-interactive authentication.
Password:
Access denied
Using keyboard-interactive authentication.
Password:
Access denied
Using keyboard-interactive authentication.
Password:
Access denied
Using keyboard-interactive authentication.
Account locked due to 3 failed logins
Password:
As you can see after third attempt user's account was locked.
Verifying and unlocking users
To check current pam_tally2 statistics run pam_tally2 command:# pam_tally2
Login Failures Latest failure From
jsmith 3 09/09/15 15:17:21 evil.attacker.com
To unlock a user use the "-r" flag:
# pam_tally2 -u pajarito -r
Login Failures Latest failure From
jsmith 3 09/09/15 15:20:49 evil.attacker.com
Finally if the output of pam_tally2 is empty it means that no account has been locked.
No comments:
Post a Comment