RHEL 5 Failed Login Locks
In /etc/pam.d/system-auth:
auth required pam_env.so
auth required pam_tally.so onerr=fail deny=3 <-- Need tally to record failures
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_tally.so reset <-- Same as above
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
Then you need to run a couple commands to active everything.
Set lock out at 3 failed login attempts:
faillog -m 3
Exclude root from this lockout mechanism:
faillog -u root -m 0
To enforce failed login lockout after adding a user:
faillog -u {username} -m 3
If a user should fail to login 3 times, you must reset their tally before they will be able to login again:
faillog -u {username} -r
Set a new user's failed login limit:
faillog -u {username} -m {number}
In sshd_config you can set MaxAuthTries to your lockout number -1 if desired.
Network Status
03/11/10 00:15:01
core __________ 1
mass __________ 1
entropy _______ 1
quantum _______ 1
singularity ___ 1
quark _________ 0
NTP^2 Epoch
SANS
- Infocon: green
- Microsoft re-release of KB973811 - attacks on Extended Protection for Authentication, (Wed, Mar 10th)
- What's My Firewall Telling Me? (Part 4), (Wed, Mar 10th)
- Microsoft Security Advisory 981374 - Remote Code Execution Vulnerability for IE6 and IE7, (Wed, Mar 10th)
- March 2010 - Microsoft Patch Tuesday Diary, (Tue, Mar 9th)
Yahoo! Top Tech
SEO Info
| nid | 86 |
| status | published |
| type | blog |
| path | content/rhel-5-failed-login-locks |
| pathauto | |
| title | RHEL 5 Failed Login Locks |
| page title | |
| value | |
| pattern | |
| meta tags |
TECH.kulish.com
Technology Junk Drawer
[SOLVED] pam_tally.so not reseting failed logins
On a RHEL5.3 box I have my /etc/pam.d/system-auth file just like yours above, however even when a user, say usera, logs in successfully via ssh, faillog shows an incremented login failure count.
However if I login with another user, say userb (which will now have a failed login attempt even though login was successful just like usera above), and then su to usera, faillog will clear out any and all failed login attempts for usera.
It appears su will reset the account after a successful login attempt while using ssh does not. Any suggestions for getting ssh to interact with pam_tally successfully?
[SOLVED]
Not using openssh. Using Reflections for Secure IT SSH. Either it doesnt work properly with pam_tally.so or I have not configured it correctly. However the sytem-auth file provided works with openssh.