account lock after 3 unsuccessful attempts not happening

deep27ak · 02-15-2012, 11:33 PM

Hello

I am trying to set up account lock after 3 failed attempts of login but not getting a positive output
I followed this page as well but still no luck
http://www.linuxquestions.org/questi...-rhel5-624257/
OS :RHEL 5.2

Code:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so
auth        required      pam_tally.so onerr=fail deny=3 unlock_time=60

account     required      pam_tally.so reset
account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

cbtshare · 02-16-2012, 12:25 AM

all you need to modify is :

Quote:

auth required pam_tally.so no_magic_root
account required pam_tally.so deny=3 no_magic_root lock_time=180

I think auth required pam_tally.so onerr=fail , is messing up

deep27ak · 02-16-2012, 01:12 AM

still no luck
something similar was here as well
http://www.cyberciti.biz/tips/rhel-c...led-login.html

here is my current system-auth file

Code:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so
auth        required      pam_tally.so no_magic_root

account     required      pam_tally.so deny=3 no_magic_root lock_time=180
account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

I am trying to login on putty and still it goes for 7 attempts before the session gives an error "too many authentication failures for root"
do I need to restart some service or restart the machine to take place changes?

cbtshare · 02-16-2012, 01:31 AM

when you do

Quote:

tail -f /var/log/secure

, do you see the user and log attempts or evidence pam is working?

edit:
ahhh, didn't know its ssh attempts.You need to install csf and then you can limit ssh access login attempt.

Or simply use iptables

Quote:

iptables -N SSH_CHECK
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
iptables -A SSH_CHECK -m recent --set --name SSH
iptables -A SSH_CHECK -m recent --update --seconds 60 --hitcount 3 --name SSH -j DROP

deep27ak · 02-16-2012, 01:33 AM

Code:

# tail -f /var/log/secure
Feb 16 12:50:01 server crond[9595]: pam_tally(crond:account): option lock_time=180 allowed in auth phase only
Feb 16 13:00:01 server crond[9622]: pam_tally(crond:account): option deny=3 allowed in auth phase only
Feb 16 13:00:01 server crond[9622]: pam_tally(crond:account): unknown option: no_magic_root
Feb 16 13:00:01 server crond[9622]: pam_tally(crond:account): option lock_time=180 allowed in auth phase only
Feb 16 13:00:01 server crond[9623]: pam_tally(crond:account): option deny=3 allowed in auth phase only
Feb 16 13:00:01 server crond[9623]: pam_tally(crond:account): unknown option: no_magic_root
Feb 16 13:00:01 server crond[9623]: pam_tally(crond:account): option lock_time=180 allowed in auth phase only
Feb 16 13:01:01 server crond[9639]: pam_tally(crond:account): option deny=3 allowed in auth phase only
Feb 16 13:01:01 server crond[9639]: pam_tally(crond:account): unknown option: no_magic_root
Feb 16 13:01:01 server crond[9639]: pam_tally(crond:account): option lock_time=180 allowed in auth phase only

It seems my OS is unable to recognise the option "no_magic_root"
Does it works for RHEL?

cbtshare · 02-16-2012, 01:56 AM

the following works for rhel5 and above, the old pam settings you had work for rhel4

Code:


auth required pam_env.so
auth required pam_tally.so onerr=fail magic_root
auth required pam_tally.so deny=3 magic_root
auth sufficient pam_unix.so likeauth nullok
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_succeed_if.so uid < 100 quiet
account required pam_permit.so

password requisite pam_cracklib.so retry=3 minlen=8 dcredit=0 ucredit=0 lcredit=0 ocredit=0 type=0
password sufficient pam_unix.so remember=7 use_authtok md5 shadow
password required pam_deny.so

session required pam_limits.so
session required pam_unix.so

deep27ak · 02-16-2012, 03:03 AM

I am still not able get any positive o/p

Code:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so
auth        required      pam_tally.so deny=3 magic_root

account     required      pam_tally.so
account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

cbtshare · 02-16-2012, 02:22 PM

the exact code in pam works, I'd suggest, make a bakup of your original and remove everything a enter the following.It works..

Quote:

auth required pam_env.so
auth required pam_tally.so onerr=fail magic_root
auth required pam_tally.so deny=3 magic_root
auth sufficient pam_unix.so likeauth nullok
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_succeed_if.so uid < 100 quiet
account required pam_permit.so

password requisite pam_cracklib.so retry=3 minlen=8 dcredit=0 ucredit=0 lcredit=0 ocredit=0 type=0
password sufficient pam_unix.so remember=7 use_authtok md5 shadow
password required pam_deny.so

session required pam_limits.so
session required pam_unix.so

deep27ak · 02-17-2012, 12:50 AM

I used your config file instead of mine but still no success

as it prompts me for 7 times before session lock

Code:

auth required pam_env.so
auth required pam_tally.so onerr=fail magic_root
auth required pam_tally.so deny=3 magic_root
auth sufficient pam_unix.so likeauth nullok
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_succeed_if.so uid < 100 quiet
account required pam_permit.so

password requisite pam_cracklib.so retry=3 minlen=8 dcredit=0 ucredit=0 lcredit=0 ocredit=0 type=0
password sufficient pam_unix.so remember=7 use_authtok md5 shadow
password required pam_deny.so

session required pam_limits.so
session required pam_unix.so

Code:

#cat /var/log/secure
Feb 17 17:20:01 server crond[3111]: pam_unix(crond:session): session closed for user root
Feb 17 17:30:01 server crond[3129]: pam_unix(crond:session): session opened for user root by (uid=0)
Feb 17 17:30:01 server crond[3129]: pam_unix(crond:session): session closed for user root
Feb 17 17:31:23 server sshd[3133]: Failed password for root from 10.10.10.30 port 51509 ssh2
Feb 17 17:31:25 server last message repeated 5 times
Feb 17 17:31:25 server sshd[3134]: Disconnecting: Too many authentication failures for root
Feb 17 17:40:01 server crond[3149]: pam_unix(crond:session): session opened for user root by (uid=0)
Feb 17 17:40:01 server crond[3149]: pam_unix(crond:session): session closed for user root
Feb 17 17:47:08 server sshd[3161]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.10.30  user=root
Feb 17 17:47:11 server sshd[3161]: Failed password for root from 10.10.10.30 port 51642 ssh2
Feb 17 17:47:20 server last message repeated 3 times
Feb 17 17:47:22 server sshd[3162]: Connection closed by 10.10.10.30
Feb 17 17:47:22 server sshd[3161]: PAM 3 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.10.30  user=root
Feb 17 17:47:22 server sshd[3161]: PAM service(sshd) ignoring max retries; 4 > 3
Feb 17 17:47:27 server gdm[3056]: pam_unix(gdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=root
Feb 17 17:47:42 server last message repeated 3 times
Feb 17 17:47:56 server sshd[3165]: Accepted password for root from 10.10.10.30 port 51644 ssh2
Feb 17 17:47:56 server sshd[3165]: pam_unix(sshd:session): session opened for user root by (uid=0)

cbtshare · 02-17-2012, 04:50 PM

change this line

Quote:

password sufficient pam_unix.so remember=7 use_authtok md5 shadow

to

Quote:

password sufficient pam_unix.so remember=3 use_authtok md5 shadow

see if that does it

zer0python · 02-17-2012, 05:26 PM

If you are only checking by ssh, it may be that (assumption ->) OpenSSH is not configured to use pam. (The default UsePAM value is set to `no'[1]) You can validate using grep like so:

Code:

$ grep UsePAM /etc/ssh/sshd_config # The location of sshd_config may differ on your machine.
UsePAM yes
$

If OpenSSH is not configured to use pam then the pam_tally module will never be triggered.
update your sshd_config file if needed, and restart sshd.

[1] man 5 sshd_config # search for UsePAM

deep27ak · 02-27-2012, 12:29 AM

Sorry for the late reply

Quote:

Originally Posted by cbtshare

change this line
to
see if that does it

Nothing seems to be working

Now I was trying the same on my centos6 machine and the logs are quite surprising

Code:

#cat /var log/secure
Feb 27 11:39:54 server sshd[3677]: Failed password for root from 10.10.10.30 port 57619 ssh2
Feb 27 11:44:53 server sshd[3704]: Failed password for root from 10.10.10.30 port 57744 ssh2
Feb 27 11:44:54 server sshd[3704]: Failed password for root from 10.10.10.30 port 57744 ssh2
Feb 27 11:44:54 server sshd[3704]: Failed password for root from 10.10.10.30 port 57744 ssh2
Feb 27 11:44:57 server sshd[3705]: Connection closed by 10.10.10.30
Feb 27 11:45:54 server sshd[3710]: Failed password for root from 10.10.10.30 port 57752 ssh2
Feb 27 11:45:54 server sshd[3710]: Failed password for root from 10.10.10.30 port 57752 ssh2
Feb 27 11:45:55 server sshd[3710]: Failed password for root from 10.10.10.30 port 57752 ssh2
Feb 27 11:45:55 server sshd[3710]: Failed password for root from 10.10.10.30 port 57752 ssh2
Feb 27 11:45:56 server sshd[3711]: Disconnecting: Too many authentication failures for root
Feb 27 11:45:56 server sshd[3710]: Failed password for root from 10.10.10.30 port 57752 ssh2
Feb 27 11:47:52 server sshd[3717]: Failed password for root from 10.10.10.30 port 57756 ssh2
Feb 27 11:47:53 server sshd[3717]: Failed password for root from 10.10.10.30 port 57756 ssh2
Feb 27 11:47:53 server sshd[3717]: Failed password for root from 10.10.10.30 port 57756 ssh2
Feb 27 11:47:53 server sshd[3717]: Failed password for root from 10.10.10.30 port 57756 ssh2
Feb 27 11:47:54 server sshd[3717]: Failed password for root from 10.10.10.30 port 57756 ssh2
Feb 27 11:47:54 server sshd[3718]: Disconnecting: Too many authentication failures for root
Feb 27 11:48:11 server pam: gdm-password[2029]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=root
Feb 27 11:48:18 server pam: gdm-password[3722]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=root
Feb 27 11:48:23 server pam: gdm-password[3723]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=root
Feb 27 11:48:30 server pam: gdm-password[3724]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=root
Feb 27 11:48:35 server pam: gdm-password[3725]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=root
Feb 27 11:48:39 server pam: gdm-password[3727]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=root
Feb 27 11:48:45 server pam: gdm-password[3728]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=root
Feb 27 11:50:28 server sshd[3737]: Failed password for root from 10.10.10.30 port 57761 ssh2
Feb 27 11:50:28 server sshd[3737]: Failed password for root from 10.10.10.30 port 57761 ssh2
Feb 27 11:50:29 server sshd[3737]: Failed password for root from 10.10.10.30 port 57761 ssh2
Feb 27 11:50:29 server sshd[3737]: Failed password for root from 10.10.10.30 port 57761 ssh2
Feb 27 11:50:29 server sshd[3738]: Disconnecting: Too many authentication failures for root
Feb 27 11:50:29 server sshd[3737]: Failed password for root from 10.10.10.30 port 57761 ssh2
Feb 27 11:51:36 server sshd[3745]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.10.30  user=root
Feb 27 11:51:38 server sshd[3745]: Failed password for root from 10.10.10.30 port 57764 ssh2
Feb 27 11:51:39 server sshd[3745]: Failed password for root from 10.10.10.30 port 57764 ssh2
Feb 27 11:51:39 server sshd[3745]: Failed password for root from 10.10.10.30 port 57764 ssh2
Feb 27 11:51:40 server sshd[3745]: Failed password for root from 10.10.10.30 port 57764 ssh2
Feb 27 11:51:40 server sshd[3745]: Failed password for root from 10.10.10.30 port 57764 ssh2
Feb 27 11:51:40 server sshd[3745]: Failed password for root from 10.10.10.30 port 57764 ssh2
Feb 27 11:51:40 server sshd[3746]: Disconnecting: Too many authentication failures for root
Feb 27 11:51:57 server sshd[3750]: Failed password for root from 10.10.10.30 port 57765 ssh2
Feb 27 11:51:57 server sshd[3750]: Failed password for root from 10.10.10.30 port 57765 ssh2
Feb 27 11:51:57 server sshd[3750]: Failed password for root from 10.10.10.30 port 57765 ssh2
Feb 27 11:51:58 server sshd[3750]: Failed password for root from 10.10.10.30 port 57765 ssh2
Feb 27 11:51:58 server sshd[3751]: Disconnecting: Too many authentication failures for root
Feb 27 11:51:58 server sshd[3750]: Failed password for root from 10.10.10.30 port 57765 ssh2

why is it every time changing the port no. I have not changed the default ssh port no. so it should be using 22 but here I see something different?

I followed this blog and made ferw changes pam_tally2.so and the list of files showed me that my pam uses pam_tally2 instead of pam_tally
http://www.linuxarticles.org/2010/10...ogin-attempts/

Code:

#cat system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so
auth        required      pam_tally2.so deny=3 onerr=fail unlock_time=900

account     required      pam_tally2.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

Code:

# pam_tally2 -u root
Login           Failures Latest failure     From
root                1    02/27/12 11:51:36  10.10.10.30

what should I do to make it working

chrislott · 10-09-2012, 11:00 AM

Me too. I'm working on a Centos 6.2 system and trying to achieve the same goal. I added one line per the man page for pam_tally2 and now my /etc/pam.d/sshd file looks like this:

#%PAM-1.0
auth required pam_sepermit.so
auth required pam_tally2.so deny=3 unlock_time=100
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth

To test, I connected to the machine with ssh and typed my password wrong 3 times, then connected a second time and typed it wrong another 3 times. I see that the /var/log/tallylog file was created (was not being updated before I added the line), and output from running the pam_tally2 program shows the 6 failures. So that module is definitely being called. But the pam_tally2.so module is NOT preventing me from trying repeatedly.

I checked the sshd configuration /etc/ssh/sshd_config and it has "UsePAM yes" as well as "UsePAM yes".

Can't make it work and can't find forum posts that make it work in Centos 6.2, further suggestions are very welcome, thanks in advance.

chrislott · 10-17-2012, 08:13 AM

I think it's actually working fine, it just didn't match my expectations.

After I edit the file as described above, I checked and I see that the /var/log/tallylog file is being updated. Running the program pam_tally2 program shows the contents of that log.

The problem was all in my head

. I thought that pam_tally2.so would somehow prevent the user from repeatedly trying to log in via ssh. It does not prevent *attempts*. However it *does* block successful login after a series of failed login attempts. In other words, the ssh user types the proper account user name and password, but the credentials are rejected when too many attempts have been made. Confusingly, no message or other indication is shown to the user coming in via an SSH client. I think that this is a miss, but the PAM design doesn't seem to allow for it.