LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-15-2012, 11:33 PM   #1
deep27ak
Senior Member
 
Registered: Aug 2011
Location: Bangalore, India
Distribution: rhel 5x,6.0,6.2, centOS 5x,6.0,6.2
Posts: 1,194
Blog Entries: 4

Rep: Reputation: 221Reputation: 221Reputation: 221
account lock after 3 unsuccessful attempts not happening


Hello

I am trying to set up account lock after 3 failed attempts of login but not getting a positive output
I followed this page as well but still no luck
http://www.linuxquestions.org/questi...-rhel5-624257/
OS :RHEL 5.2
Code:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so
auth        required      pam_tally.so onerr=fail deny=3 unlock_time=60

account     required      pam_tally.so reset
account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
 
Old 02-16-2012, 12:25 AM   #2
cbtshare
Member
 
Registered: Jul 2009
Posts: 619

Rep: Reputation: 42
all you need to modify is :
Quote:
auth required pam_tally.so no_magic_root
account required pam_tally.so deny=3 no_magic_root lock_time=180
I think auth required pam_tally.so onerr=fail , is messing up

Last edited by cbtshare; 02-16-2012 at 12:27 AM.
 
Old 02-16-2012, 01:12 AM   #3
deep27ak
Senior Member
 
Registered: Aug 2011
Location: Bangalore, India
Distribution: rhel 5x,6.0,6.2, centOS 5x,6.0,6.2
Posts: 1,194
Blog Entries: 4

Original Poster
Rep: Reputation: 221Reputation: 221Reputation: 221
still no luck
something similar was here as well
http://www.cyberciti.biz/tips/rhel-c...led-login.html

here is my current system-auth file
Code:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so
auth        required      pam_tally.so no_magic_root

account     required      pam_tally.so deny=3 no_magic_root lock_time=180
account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
I am trying to login on putty and still it goes for 7 attempts before the session gives an error "too many authentication failures for root"
do I need to restart some service or restart the machine to take place changes?

Last edited by deep27ak; 02-16-2012 at 01:15 AM.
 
Old 02-16-2012, 01:31 AM   #4
cbtshare
Member
 
Registered: Jul 2009
Posts: 619

Rep: Reputation: 42
when you do
Quote:
tail -f /var/log/secure
, do you see the user and log attempts or evidence pam is working?

edit:
ahhh, didn't know its ssh attempts.You need to install csf and then you can limit ssh access login attempt.

Or simply use iptables

Quote:
iptables -N SSH_CHECK
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
iptables -A SSH_CHECK -m recent --set --name SSH
iptables -A SSH_CHECK -m recent --update --seconds 60 --hitcount 3 --name SSH -j DROP

Last edited by cbtshare; 02-16-2012 at 01:44 AM.
 
Old 02-16-2012, 01:33 AM   #5
deep27ak
Senior Member
 
Registered: Aug 2011
Location: Bangalore, India
Distribution: rhel 5x,6.0,6.2, centOS 5x,6.0,6.2
Posts: 1,194
Blog Entries: 4

Original Poster
Rep: Reputation: 221Reputation: 221Reputation: 221
Code:
# tail -f /var/log/secure
Feb 16 12:50:01 server crond[9595]: pam_tally(crond:account): option lock_time=180 allowed in auth phase only
Feb 16 13:00:01 server crond[9622]: pam_tally(crond:account): option deny=3 allowed in auth phase only
Feb 16 13:00:01 server crond[9622]: pam_tally(crond:account): unknown option: no_magic_root
Feb 16 13:00:01 server crond[9622]: pam_tally(crond:account): option lock_time=180 allowed in auth phase only
Feb 16 13:00:01 server crond[9623]: pam_tally(crond:account): option deny=3 allowed in auth phase only
Feb 16 13:00:01 server crond[9623]: pam_tally(crond:account): unknown option: no_magic_root
Feb 16 13:00:01 server crond[9623]: pam_tally(crond:account): option lock_time=180 allowed in auth phase only
Feb 16 13:01:01 server crond[9639]: pam_tally(crond:account): option deny=3 allowed in auth phase only
Feb 16 13:01:01 server crond[9639]: pam_tally(crond:account): unknown option: no_magic_root
Feb 16 13:01:01 server crond[9639]: pam_tally(crond:account): option lock_time=180 allowed in auth phase only
It seems my OS is unable to recognise the option "no_magic_root"
Does it works for RHEL?
 
Old 02-16-2012, 01:56 AM   #6
cbtshare
Member
 
Registered: Jul 2009
Posts: 619

Rep: Reputation: 42
the following works for rhel5 and above, the old pam settings you had work for rhel4

Code:

auth required pam_env.so
auth required pam_tally.so onerr=fail magic_root
auth required pam_tally.so deny=3 magic_root
auth sufficient pam_unix.so likeauth nullok
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_succeed_if.so uid < 100 quiet
account required pam_permit.so

password requisite pam_cracklib.so retry=3 minlen=8 dcredit=0 ucredit=0 lcredit=0 ocredit=0 type=0
password sufficient pam_unix.so remember=7 use_authtok md5 shadow
password required pam_deny.so

session required pam_limits.so
session required pam_unix.so

Last edited by cbtshare; 02-16-2012 at 01:59 AM.
 
Old 02-16-2012, 03:03 AM   #7
deep27ak
Senior Member
 
Registered: Aug 2011
Location: Bangalore, India
Distribution: rhel 5x,6.0,6.2, centOS 5x,6.0,6.2
Posts: 1,194
Blog Entries: 4

Original Poster
Rep: Reputation: 221Reputation: 221Reputation: 221
I am still not able get any positive o/p

Code:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so
auth        required      pam_tally.so deny=3 magic_root

account     required      pam_tally.so
account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
 
Old 02-16-2012, 02:22 PM   #8
cbtshare
Member
 
Registered: Jul 2009
Posts: 619

Rep: Reputation: 42
the exact code in pam works, I'd suggest, make a bakup of your original and remove everything a enter the following.It works..

Quote:
auth required pam_env.so
auth required pam_tally.so onerr=fail magic_root
auth required pam_tally.so deny=3 magic_root
auth sufficient pam_unix.so likeauth nullok
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_succeed_if.so uid < 100 quiet
account required pam_permit.so

password requisite pam_cracklib.so retry=3 minlen=8 dcredit=0 ucredit=0 lcredit=0 ocredit=0 type=0
password sufficient pam_unix.so remember=7 use_authtok md5 shadow
password required pam_deny.so

session required pam_limits.so
session required pam_unix.so
 
Old 02-17-2012, 12:50 AM   #9
deep27ak
Senior Member
 
Registered: Aug 2011
Location: Bangalore, India
Distribution: rhel 5x,6.0,6.2, centOS 5x,6.0,6.2
Posts: 1,194
Blog Entries: 4

Original Poster
Rep: Reputation: 221Reputation: 221Reputation: 221
I used your config file instead of mine but still no success as it prompts me for 7 times before session lock
Code:
auth required pam_env.so
auth required pam_tally.so onerr=fail magic_root
auth required pam_tally.so deny=3 magic_root
auth sufficient pam_unix.so likeauth nullok
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_succeed_if.so uid < 100 quiet
account required pam_permit.so

password requisite pam_cracklib.so retry=3 minlen=8 dcredit=0 ucredit=0 lcredit=0 ocredit=0 type=0
password sufficient pam_unix.so remember=7 use_authtok md5 shadow
password required pam_deny.so

session required pam_limits.so
session required pam_unix.so
Code:
#cat /var/log/secure
Feb 17 17:20:01 server crond[3111]: pam_unix(crond:session): session closed for user root
Feb 17 17:30:01 server crond[3129]: pam_unix(crond:session): session opened for user root by (uid=0)
Feb 17 17:30:01 server crond[3129]: pam_unix(crond:session): session closed for user root
Feb 17 17:31:23 server sshd[3133]: Failed password for root from 10.10.10.30 port 51509 ssh2
Feb 17 17:31:25 server last message repeated 5 times
Feb 17 17:31:25 server sshd[3134]: Disconnecting: Too many authentication failures for root
Feb 17 17:40:01 server crond[3149]: pam_unix(crond:session): session opened for user root by (uid=0)
Feb 17 17:40:01 server crond[3149]: pam_unix(crond:session): session closed for user root
Feb 17 17:47:08 server sshd[3161]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.10.30  user=root
Feb 17 17:47:11 server sshd[3161]: Failed password for root from 10.10.10.30 port 51642 ssh2
Feb 17 17:47:20 server last message repeated 3 times
Feb 17 17:47:22 server sshd[3162]: Connection closed by 10.10.10.30
Feb 17 17:47:22 server sshd[3161]: PAM 3 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.10.30  user=root
Feb 17 17:47:22 server sshd[3161]: PAM service(sshd) ignoring max retries; 4 > 3
Feb 17 17:47:27 server gdm[3056]: pam_unix(gdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=root
Feb 17 17:47:42 server last message repeated 3 times
Feb 17 17:47:56 server sshd[3165]: Accepted password for root from 10.10.10.30 port 51644 ssh2
Feb 17 17:47:56 server sshd[3165]: pam_unix(sshd:session): session opened for user root by (uid=0)
 
Old 02-17-2012, 04:50 PM   #10
cbtshare
Member
 
Registered: Jul 2009
Posts: 619

Rep: Reputation: 42
change this line
Quote:
password sufficient pam_unix.so remember=7 use_authtok md5 shadow
to

Quote:
password sufficient pam_unix.so remember=3 use_authtok md5 shadow
see if that does it
 
Old 02-17-2012, 05:26 PM   #11
zer0python
Member
 
Registered: Sep 2003
Posts: 104

Rep: Reputation: 20
Lightbulb ssh config

If you are only checking by ssh, it may be that (assumption ->) OpenSSH is not configured to use pam. (The default UsePAM value is set to `no'[1]) You can validate using grep like so:

Code:
$ grep UsePAM /etc/ssh/sshd_config # The location of sshd_config may differ on your machine.
UsePAM yes
$
If OpenSSH is not configured to use pam then the pam_tally module will never be triggered.
update your sshd_config file if needed, and restart sshd.

[1] man 5 sshd_config # search for UsePAM

Last edited by zer0python; 02-17-2012 at 05:28 PM.
 
Old 02-27-2012, 12:29 AM   #12
deep27ak
Senior Member
 
Registered: Aug 2011
Location: Bangalore, India
Distribution: rhel 5x,6.0,6.2, centOS 5x,6.0,6.2
Posts: 1,194
Blog Entries: 4

Original Poster
Rep: Reputation: 221Reputation: 221Reputation: 221
Sorry for the late reply

Quote:
Originally Posted by cbtshare View Post
change this line
to
see if that does it
Nothing seems to be working

Now I was trying the same on my centos6 machine and the logs are quite surprising

Code:
#cat /var log/secure
Feb 27 11:39:54 server sshd[3677]: Failed password for root from 10.10.10.30 port 57619 ssh2
Feb 27 11:44:53 server sshd[3704]: Failed password for root from 10.10.10.30 port 57744 ssh2
Feb 27 11:44:54 server sshd[3704]: Failed password for root from 10.10.10.30 port 57744 ssh2
Feb 27 11:44:54 server sshd[3704]: Failed password for root from 10.10.10.30 port 57744 ssh2
Feb 27 11:44:57 server sshd[3705]: Connection closed by 10.10.10.30
Feb 27 11:45:54 server sshd[3710]: Failed password for root from 10.10.10.30 port 57752 ssh2
Feb 27 11:45:54 server sshd[3710]: Failed password for root from 10.10.10.30 port 57752 ssh2
Feb 27 11:45:55 server sshd[3710]: Failed password for root from 10.10.10.30 port 57752 ssh2
Feb 27 11:45:55 server sshd[3710]: Failed password for root from 10.10.10.30 port 57752 ssh2
Feb 27 11:45:56 server sshd[3711]: Disconnecting: Too many authentication failures for root
Feb 27 11:45:56 server sshd[3710]: Failed password for root from 10.10.10.30 port 57752 ssh2
Feb 27 11:47:52 server sshd[3717]: Failed password for root from 10.10.10.30 port 57756 ssh2
Feb 27 11:47:53 server sshd[3717]: Failed password for root from 10.10.10.30 port 57756 ssh2
Feb 27 11:47:53 server sshd[3717]: Failed password for root from 10.10.10.30 port 57756 ssh2
Feb 27 11:47:53 server sshd[3717]: Failed password for root from 10.10.10.30 port 57756 ssh2
Feb 27 11:47:54 server sshd[3717]: Failed password for root from 10.10.10.30 port 57756 ssh2
Feb 27 11:47:54 server sshd[3718]: Disconnecting: Too many authentication failures for root
Feb 27 11:48:11 server pam: gdm-password[2029]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=root
Feb 27 11:48:18 server pam: gdm-password[3722]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=root
Feb 27 11:48:23 server pam: gdm-password[3723]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=root
Feb 27 11:48:30 server pam: gdm-password[3724]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=root
Feb 27 11:48:35 server pam: gdm-password[3725]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=root
Feb 27 11:48:39 server pam: gdm-password[3727]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=root
Feb 27 11:48:45 server pam: gdm-password[3728]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=root
Feb 27 11:50:28 server sshd[3737]: Failed password for root from 10.10.10.30 port 57761 ssh2
Feb 27 11:50:28 server sshd[3737]: Failed password for root from 10.10.10.30 port 57761 ssh2
Feb 27 11:50:29 server sshd[3737]: Failed password for root from 10.10.10.30 port 57761 ssh2
Feb 27 11:50:29 server sshd[3737]: Failed password for root from 10.10.10.30 port 57761 ssh2
Feb 27 11:50:29 server sshd[3738]: Disconnecting: Too many authentication failures for root
Feb 27 11:50:29 server sshd[3737]: Failed password for root from 10.10.10.30 port 57761 ssh2
Feb 27 11:51:36 server sshd[3745]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.10.30  user=root
Feb 27 11:51:38 server sshd[3745]: Failed password for root from 10.10.10.30 port 57764 ssh2
Feb 27 11:51:39 server sshd[3745]: Failed password for root from 10.10.10.30 port 57764 ssh2
Feb 27 11:51:39 server sshd[3745]: Failed password for root from 10.10.10.30 port 57764 ssh2
Feb 27 11:51:40 server sshd[3745]: Failed password for root from 10.10.10.30 port 57764 ssh2
Feb 27 11:51:40 server sshd[3745]: Failed password for root from 10.10.10.30 port 57764 ssh2
Feb 27 11:51:40 server sshd[3745]: Failed password for root from 10.10.10.30 port 57764 ssh2
Feb 27 11:51:40 server sshd[3746]: Disconnecting: Too many authentication failures for root
Feb 27 11:51:57 server sshd[3750]: Failed password for root from 10.10.10.30 port 57765 ssh2
Feb 27 11:51:57 server sshd[3750]: Failed password for root from 10.10.10.30 port 57765 ssh2
Feb 27 11:51:57 server sshd[3750]: Failed password for root from 10.10.10.30 port 57765 ssh2
Feb 27 11:51:58 server sshd[3750]: Failed password for root from 10.10.10.30 port 57765 ssh2
Feb 27 11:51:58 server sshd[3751]: Disconnecting: Too many authentication failures for root
Feb 27 11:51:58 server sshd[3750]: Failed password for root from 10.10.10.30 port 57765 ssh2
why is it every time changing the port no. I have not changed the default ssh port no. so it should be using 22 but here I see something different?

I followed this blog and made ferw changes pam_tally2.so and the list of files showed me that my pam uses pam_tally2 instead of pam_tally
http://www.linuxarticles.org/2010/10...ogin-attempts/

Code:
#cat system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so
auth        required      pam_tally2.so deny=3 onerr=fail unlock_time=900

account     required      pam_tally2.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
Code:
# pam_tally2 -u root
Login           Failures Latest failure     From
root                1    02/27/12 11:51:36  10.10.10.30
what should I do to make it working
 
Old 10-09-2012, 11:00 AM   #13
chrislott
LQ Newbie
 
Registered: Oct 2012
Posts: 2

Rep: Reputation: Disabled
Me too. I'm working on a Centos 6.2 system and trying to achieve the same goal. I added one line per the man page for pam_tally2 and now my /etc/pam.d/sshd file looks like this:

#%PAM-1.0
auth required pam_sepermit.so
auth required pam_tally2.so deny=3 unlock_time=100
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth


To test, I connected to the machine with ssh and typed my password wrong 3 times, then connected a second time and typed it wrong another 3 times. I see that the /var/log/tallylog file was created (was not being updated before I added the line), and output from running the pam_tally2 program shows the 6 failures. So that module is definitely being called. But the pam_tally2.so module is NOT preventing me from trying repeatedly.

I checked the sshd configuration /etc/ssh/sshd_config and it has "UsePAM yes" as well as "UsePAM yes".

Can't make it work and can't find forum posts that make it work in Centos 6.2, further suggestions are very welcome, thanks in advance.
 
Old 10-17-2012, 08:13 AM   #14
chrislott
LQ Newbie
 
Registered: Oct 2012
Posts: 2

Rep: Reputation: Disabled
I think it's actually working fine, it just didn't match my expectations.

After I edit the file as described above, I checked and I see that the /var/log/tallylog file is being updated. Running the program pam_tally2 program shows the contents of that log.

The problem was all in my head . I thought that pam_tally2.so would somehow prevent the user from repeatedly trying to log in via ssh. It does not prevent *attempts*. However it *does* block successful login after a series of failed login attempts. In other words, the ssh user types the proper account user name and password, but the credentials are rejected when too many attempts have been made. Confusingly, no message or other indication is shown to the user coming in via an SSH client. I think that this is a miss, but the PAM design doesn't seem to allow for it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Account lock after failed login attempts alfonsosg Linux - Security 5 08-03-2010 07:24 AM
lock user account after failed login attempts with FC 10 hv905c Linux - Security 1 05-18-2009 08:44 PM
lock root account after 3 login attempts - RHEL AS 3 jrparker2005 Red Hat 1 05-17-2005 12:43 PM
Lock account after successive login attempts herrmag Linux - Newbie 1 02-03-2005 06:10 PM


All times are GMT -5. The time now is 07:47 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration