Thursday, December 10, 2009

pam_tally2 - lock account after failed logins

this post shows how to temporarily block an account after reaching a certain number of failled logins.
system is a CentOS 5.4 x86_64.

in the file

/etc/pam.d/system-auth

i've added this line at the beginning of the auth section:
auth        required      pam_tally2.so  file=/var/log/tallylog deny=5 quiet unlock_time=3600

then this at the account section:
account     required      pam_tally2.so

the auth line above will lockout and account after 5 failed logins. user will then have to wait for an hour to have the account available.
account can be re-enabled immediately by root (or one with root privileges) by running this:

pam_tally2  -r -u account_name_to_unlock

[root@node02 ~]# tail -20 /var/log/secure

Dec 10 17:10:44 node02 sshd[10623]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=node01-priv  user=oracleDec 10 17:10:46 node02 sshd[10623]: Failed password for oracle from 192.168.100.10 port 51233 ssh2
Dec 10 17:10:52 node02 last message repeated 2 times
Dec 10 17:10:52 node02 sshd[10624]: Connection closed by 192.168.100.10
Dec 10 17:10:52 node02 sshd[10623]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=node01-priv  user=oracle
Dec 10 17:10:56 node02 sshd[10626]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=node01-priv  user=erik
Dec 10 17:10:58 node02 sshd[10626]: Failed password for erik from 192.168.100.10 port 51234 ssh2
Dec 10 17:11:07 node02 last message repeated 2 times
Dec 10 17:11:07 node02 sshd[10627]: Connection closed by 192.168.100.10
Dec 10 17:11:07 node02 sshd[10626]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=node01-priv  user=erik
Dec 10 17:11:11 node02 sshd[10629]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=node01-priv  user=oracle
Dec 10 17:11:13 node02 sshd[10629]: Failed password for oracle from 192.168.100.10 port 51235 ssh2
Dec 10 17:11:17 node02 sshd[10629]: Failed password for oracle from 192.168.100.10 port 51235 ssh2
Dec 10 17:11:21 node02 sshd[10629]: pam_tally2(sshd:auth): user oracle (1000) tally 6, deny 5
Dec 10 17:11:23 node02 sshd[10629]: Failed password for oracle from 192.168.100.10 port 51235 ssh2
Dec 10 17:11:23 node02 sshd[10630]: Connection closed by 192.168.100.10
Dec 10 17:11:23 node02 sshd[10629]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=node01-priv  user=oracle
Dec 10 17:11:26 node02 sshd[10631]: pam_tally2(sshd:auth): user oracle (1000) tally 7, deny 5
Dec 10 17:11:27 node02 sshd[10631]: Failed password for oracle from 192.168.100.10 port 51236 ssh2
Dec 10 17:11:28 node02 sshd[10632]: Connection closed by 192.168.100.10

check the counter

[root@node02 ~]# pam_tally2

Login           Failures Latest failure     From
oracle              7    12/10/09 17:11:26  node01-priv
erik                3    12/10/09 17:11:05  node01-priv

unlock oracle:

[root@node02 ~]# pam_tally2  -r -u oracle

Login           Failures Latest failure     From
oracle              7    12/10/09 17:11:26  node01-priv


re-check, oracle has been cleared and should be able to login:

[root@node02 ~]# pam_tally2

Login           Failures Latest failure     From
erik                3    12/10/09 17:11:05  node01-priv


Reference:  /usr/share/doc/pam-0.99.6.2/txts/README.pam_tally2
Posted by at 5:17 PM
Labels:

2 comments:

  1. Thanks for sharing... nice guide..

    ReplyDelete

  2. come across this site. nice explaination. THanks

    ReplyDelete

Subscribe to: Post Comments (Atom)