Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have configured account lockout policy for users who type their password wrongly for 3 times get locked.
However to my horror, if the password is typed correctly pam_tally2 -u <user> increments even if the password is typed correctly.
After 4 logins all the the users got locked. COuld anybody help me in fixing this.
/etc/pam.d/sshd
#%PAM-1.0
auth required pam_tally2.so onerr=fail deny=3 no_magic_root
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
/etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally2.so onerr=fail deny=3 unlock_time=3600 no_magic_root
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
PermitEmptyPasswords no
PasswordAuthentication no
# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
UsePAM yes
i had done some extensive PAM stuff (rhel5) in the past using different PAM mod. the mod you are using may be faulty, so try a switch.
this should give you an idea of what you need to do via scripting or vi, etc.
Code:
set strong password creation policy using pam_passwdqc
"# ed /etc/pam.d/system-auth << END
/password.*requisite.*pam_cracklib.so/
d
a
password required pam_passwdqc.so min=disabled,disabled,16,12,8 random=0 passphrase=0 retry=3 similar=deny enforce=everyone ask_oldauthtok
.
w
q
END"
*****************
set lockout for failed password attempts
"sed -i ""5i\auth\trequired\pam_tally2.so onerr=fail deny=5 audit""
/etc/pam.d/system-auth"
******************
use pam_deny.so to deny services
"Edit PAM aware services as shown below. For example the sshd service would be
modified as shown below.
ed /etc/pam.d/sshd << END
0a
auth requisite pam_deny.so
.
w
q
END
Note: Perform this action for every service that provides authentication and supports PAM."
*******************
upgrade password hashing algorithm to SHA-512
"Perform the following to configure the system as recommended:
authconfig --passalgo=sha512
Note: If it is determined that the password algorithm being used is not SHA-512, once it is changed, it is recommended that all userID’s be immediately expired and forced to change their passwords on next login. To accomplish that, the following commands can be used.
Any system accounts that need to be expired should be carefully done separately by the system administrator to prevent any potential problems.
cat /etc/passwd | awk -F: ‘ ( $3 >=500 && $1 != ""nfsnobody ) { print $1 } | xargs -n 1 chage -d 0"
**********************
limit password reuse
"ed /etc/pam.d/system_auth << END
/password.*pam_unix.so/
s/$/remember=12/
w
q
END
Note: The default password setting in this document is the last 5 passwords. Change this number to conform to your site’s password policy."
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.