Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Moved: This thread is more suitable in the Linux - Security forum and has been moved accordingly to help your thread/question get the exposure it deserves.
Note that you need to think really carefully about how you'd like to implement this. For example an attacker could DoS the system simply by attempting logins and locking out accounts of other users including root. I've seen this solved with a whitelist approach or with a reset of the lockout after a certain period of time, but personally I don't like either one.
Hi
Actually I want to limit the invalid logon attempts upto three times.After unsuccessful attempts system will allow after 5 minutes to try it again.
Actually this is requirment of aduit.
To set the number of Auth tries, edit the sshd_config file and set the MaxAuthTries variable to 3. If your version of linux uses pam, you'll likely need to modify pam_tally settings in system-auth as well (likely lives in /etc/pam.d/). I don't believe sshd can do lockouts by itself, so you'd probably need to use pam.
Here are the pam docs, in particular look at the pam_tally section on this page. You'll likely need to use the 'unlock_time' variable and make sure to include magic_root to keep root from getting locked out. You'll still want to prevent remote root logins over sshd using the PermitRootLogins option in sshd_conf, but you don't want to lock root out locally, hence the magic_root setting. If that doesn't make an sense, read the pam docs
Last edited by Capt_Caveman; 03-08-2006 at 09:43 PM.
Hi
I set the variable MaxAuthTries to 3 but before that there is no variable exist,I typed my self in the file sshd_conf ans then save the changes but there is no effect appeared.Is there necessary to reboot the system ?
One thing I'd like to share with you is that, all vaiable was not active except one or two variable.
You'll need to restart the sshd service so that it re-reads the config file. Make sure that the MaxAuthTries line is uncommented (doesn't have a '#' before it). All the other commented variables will be set to the default settings, so you don't need to worry about them right now. Note that the MaxAuthTries setting will only limit the number of authentication attempts *per connection*. So if a user fails 3 auth tries, then the connectino will be closed, but the user can still re-establish a new connection and will get 3 new authentication tries. To truly lock them out you'll need to use pam_tally.
Personally I think there are better tools to prevent bruteforce attacks against the sshd service. Take a look at this thread for some other solutions that I think will likely work better.
Hi
I set the MaxAuthTries to 3.but Will it work when i attempt it locally or remotelly.
I tried it locally but it did not work.so kindly guide me regarding this.
Try fail2ban, its very configurable and I have it set to after 3 unsuccessfull ssh login attemps it adds a rule to the firewall to ban the source IP for a week.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.