LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 12-07-2012, 05:26 AM   #1
bala.linuxtech
Member
 
Registered: Nov 2012
Location: Bangalore
Distribution: RHEL and Centos
Posts: 80

Rep: Reputation: Disabled
Red face How to lock the users after ssh failed login attempts ?


Hi LQ Dears

I am using RHEL 5.4 Linux box,

Still i am facing lot of failed login attempts from SSH.
Is there any way to lock or restrict the user after failed
login attempts ?

please guide me guyz !

Regards
Bala.LinuxTech
 
Old 12-07-2012, 05:35 AM   #2
jv2112
Member
 
Registered: Jan 2009
Location: New England
Distribution: Arch Linux
Posts: 719

Rep: Reputation: 103Reputation: 103
Lightbulb

I would suggest you edit the servers /etc/ssh/sshd_config



Code:
# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
MaxAuthTries 6
MaxSessions 10
 
Old 12-07-2012, 05:39 AM   #3
bala.linuxtech
Member
 
Registered: Nov 2012
Location: Bangalore
Distribution: RHEL and Centos
Posts: 80

Original Poster
Rep: Reputation: Disabled
Exclamation

Quote:
Originally Posted by jv2112 View Post
I would suggest you edit the servers /etc/ssh/sshd_config



Code:
# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
MaxAuthTries 6
MaxSessions 10

Dear jv2112

Thanks ., Could you please explain what does it mean, LoginGraceTime 2m , #StrictModes yes , MaxAuthTries 6 ,MaxSessions 10

Thanks in advance

Regards
Bala.Linuxtech
 
Old 12-07-2012, 05:51 AM   #4
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
You could look at fail2ban to automate analyzing logs to update iptables rules or hosts.deny to reject connections. You could instead run a user mod command to suspend an account. You could monitor other types of logs such as Apache as well.
http://www.linux-magazine.com/Online...-with-fail2ban

For SSH, you should be using keys instead of user name/password authentication. Then any challenge/response attempt will be rejected.

Use AllowUsers to limit who can log in. Many attempts against SSH will be system users. Others will be against root. Suspending the root account will lock you out of your own server. Better to not allow root logins.
 
Old 12-07-2012, 06:05 AM   #5
bala.linuxtech
Member
 
Registered: Nov 2012
Location: Bangalore
Distribution: RHEL and Centos
Posts: 80

Original Poster
Rep: Reputation: Disabled
Unhappy

Quote:
Originally Posted by jschiwal View Post
You could look at fail2ban to automate analyzing logs to update iptables rules or hosts.deny to reject connections. You could instead run a user mod command to suspend an account. You could monitor other types of logs such as Apache as well.
http://www.linux-magazine.com/Online...-with-fail2ban

For SSH, you should be using keys instead of user name/password authentication. Then any challenge/response attempt will be rejected.

Use AllowUsers to limit who can log in. Many attempts against SSH will be system users. Others will be against root. Suspending the root account will lock you out of your own server. Better to not allow root logins.
Dear jschiwal

Thanks ., Fail2ban is very interesting but i dont have a access to install third party tools / softwares in servers, could you guide me another way for this same !!!

Thanks in advance

Regards
Bala.Linuxtech
 
Old 12-07-2012, 06:52 AM   #6
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
There is an official fail2ban rhel package, so you won't be installing a 3rd party tool. Use the package from your RH repository. The regular expressions used will match your log files. And you won't need to mess with selinux restrictions. The package should handle that for you during installation. Be sure to research fail2ban on the Red Hat site. Using it to protect SSH is the most common usage, so I'm sure it will be well covered.

There is a Pam module (pam_tally) that can suspend accounts after a number of failed login attempts.

http://www.cyberciti.biz/tips/rhel-c...led-login.html

The sshd_config maxauthtries option will log failed attempts on the same connection that exceed half that number and break the connection when it reaches the max.
 
Old 12-07-2012, 07:40 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,830
Blog Entries: 54

Rep: Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993
Quote:
Originally Posted by bala.linuxtech View Post
please explain what does it mean, LoginGraceTime 2m , #StrictModes yes , MaxAuthTries 6 ,MaxSessions 10
A lot of information is at your fingertips with the whois, whatis, which, apropos, info and man commands. In this case you know it's related to ssh, so if you run 'apropos ssh' you'll get a list of manual pages. Select one, scroll to the bottom and notice the "See also" section. Eventually you'll find 'man sshd_config' explaining these configuration settings. If, after reading, you have more specific questions then ask.
 
Old 12-07-2012, 09:31 AM   #8
Habitual
Senior Member
 
Registered: Jan 2011
Distribution: Undecided
Posts: 3,622
Blog Entries: 1

Rep: Reputation: Disabled
Quote:
Is there any way to lock or restrict the user after failed
login attempts ?

please guide me guyz !
Code:
man sshd_config
for daemon settings.
Personally, I'd use ssh keys only.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Account lock after failed login attempts alfonsosg Linux - Security 5 08-03-2010 08:24 AM
lock user account after failed login attempts with FC 10 hv905c Linux - Security 1 05-18-2009 09:44 PM
Question about failed ssh login attempts natv Linux - Security 3 02-11-2007 07:46 AM
Failed SSH login attempts Capt_Caveman Linux - Security 38 01-03-2006 04:22 PM


All times are GMT -5. The time now is 10:30 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration