How to Configure SLES Linux to track and log failed login attempt records
Tags: Faillog, Linux, Pam, SLES, SUSE
Did you know how to lock user account after too many login failures? Under Linux, you can enable this functionality using PAM and faillog.
To provide the account locking functionality, we need to add a PAM module called pam_tally. Basically I’ll show you ‘how to configure track and log failed login attempt records on a SLES Linux host‘ and how to prevent a potential denial of service attack from the repeated locking of user accounts. Beware!
You can use faillog command to display faillog records or set login failure limits. Faillog formats the contents of the failure log from /var/log/faillog database log file. If you don’t have /var/log/faillog, initially you can type: touch /var/log/faillog
For PAM Configuration, pam_tally.so module maintains a count of attempted accesses, can reset count on success, can deny access if too many attempts fail. Probably you may refer to http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_tally.html
For SuSE Linux, edit /etc/pam.d/sshd and add:
auth required pam_tally.so no_magic_root
account required pam_tally.so deny=5 no_magic_root lock_time=180 onerr=fail reset per_user
deny=5
Deny access if tally for this user exceeds 5 times.
magic_root
If the module is invoked by a user with uid=0 the counter is not incremented. The sys-admin should use this for user launched services, like su, otherwise this argument should be omitted.
no_magic_root
Avoid root account locking, if the module is invoked by a user with uid=0
lock_time=180
Always deny for 180 seconds after failed attempt. There is also unlock_time=n option. It allow access after n seconds after failed attempt. If this option is used the user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts. Otherwise the account is locked until the lock is removed by a manual intervention of the system administrator.
onerr=[fail|succeed]
If something weird happens (like unable to open the file), return with PAM_SUCESS if onerr=succeed is given, else with the corresponding PAM error code.
reset
Reset count on successful entry
no_reset
Don’t reset count on successful entry, only decrement.
per_user
If /var/log/faillog contains a non-zero .fail_max/.fail_locktime field for this user then use it instead of deny=n/ lock_time=n parameter.
Save and close the file.
For an example:
auth required pam_unix2.so # set_secrpc
auth required pam_nologin.so
auth required pam_env.so
auth required pam_tally.so onerr=fail no_magic_root
account required pam_unix2.so
account required pam_nologin.so
account required pam_tally.so deny=5 no_magic_root lock_time=180 reset per_user
password required pam_pwcheck.so
password required pam_unix2.so use_first_pass use_authtok
session required pam_unix2.so none
session required pam_limits.so
For the Faillog, it display faillog records or set login failure limits
Display faillog record for individual user
#faillog -u planetmy
Username Failures Maximum Latest
planetmy 0 0 Mon Mar 17 08:43:42 -0100 2008 on host1.example.com
Display faillog for all users
#faillog -a
Username Failures Maximum Latest
username1 0 0 Mon Mar 17 08:43:42 -0100 2008 on host1.example.com
username2 0 0 Mon Mar 17 08:43:42 -0100 2008 on host2.example.com
Reset the count of login failures
#faillog -r
#faillog -u planetmy -r
Or you can use the passwd command with the -l option to unlock accounts.
Set the maximum number of login failures before the account is disabled. The -u option specifies the user and the -m option specifies the maximum attempts. Specifying -1 tells the pam_tally module to exclude that user from locking. Setting the -m value to 0 will re-enable locking behaviour for that user.
#faillog -m 3 -u planetmy
Username Failures Maximum Latest
planetmy 0 3 Mon Mar 17 08:43:42 -0100 2008 on host1.example.com
Entering faillog -t days will cause only the failures more recent than x days to be printed.
Enjoy!
Possibly Related Posts:
- RSS Feed Submissions
- Geo Positions
- Interesting about Google Suggest
- Setup a Linux Highly Availability NFS servers
- How to find empty folders on Linux
