account lock after 3 unsuccessful attempts not happening

deep27ak · 02-15-2012, 11:33 PM

Hello

I am trying to set up account lock after 3 failed attempts of login but not getting a positive output
I followed this page as well but still no luck
http://www.linuxquestions.org/questi...-rhel5-624257/
OS :RHEL 5.2

Code:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so
auth        required      pam_tally.so onerr=fail deny=3 unlock_time=60

account     required      pam_tally.so reset
account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

cbtshare · 02-16-2012, 12:25 AM

all you need to modify is :

Quote:

auth required pam_tally.so no_magic_root
account required pam_tally.so deny=3 no_magic_root lock_time=180

I think auth required pam_tally.so onerr=fail , is messing up

deep27ak · 02-16-2012, 01:12 AM

still no luck
something similar was here as well
http://www.cyberciti.biz/tips/rhel-c...led-login.html

here is my current system-auth file

Code:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so
auth        required      pam_tally.so no_magic_root

account     required      pam_tally.so deny=3 no_magic_root lock_time=180
account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

I am trying to login on putty and still it goes for 7 attempts before the session gives an error "too many authentication failures for root"
do I need to restart some service or restart the machine to take place changes?

cbtshare · 02-16-2012, 01:31 AM

when you do

Quote:

tail -f /var/log/secure

, do you see the user and log attempts or evidence pam is working?

edit:
ahhh, didn't know its ssh attempts.You need to install csf and then you can limit ssh access login attempt.

Or simply use iptables

Quote:

iptables -N SSH_CHECK
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
iptables -A SSH_CHECK -m recent --set --name SSH
iptables -A SSH_CHECK -m recent --update --seconds 60 --hitcount 3 --name SSH -j DROP

deep27ak · 02-16-2012, 01:33 AM

Code:

# tail -f /var/log/secure
Feb 16 12:50:01 server crond[9595]: pam_tally(crond:account): option lock_time=180 allowed in auth phase only
Feb 16 13:00:01 server crond[9622]: pam_tally(crond:account): option deny=3 allowed in auth phase only
Feb 16 13:00:01 server crond[9622]: pam_tally(crond:account): unknown option: no_magic_root
Feb 16 13:00:01 server crond[9622]: pam_tally(crond:account): option lock_time=180 allowed in auth phase only
Feb 16 13:00:01 server crond[9623]: pam_tally(crond:account): option deny=3 allowed in auth phase only
Feb 16 13:00:01 server crond[9623]: pam_tally(crond:account): unknown option: no_magic_root
Feb 16 13:00:01 server crond[9623]: pam_tally(crond:account): option lock_time=180 allowed in auth phase only
Feb 16 13:01:01 server crond[9639]: pam_tally(crond:account): option deny=3 allowed in auth phase only
Feb 16 13:01:01 server crond[9639]: pam_tally(crond:account): unknown option: no_magic_root
Feb 16 13:01:01 server crond[9639]: pam_tally(crond:account): option lock_time=180 allowed in auth phase only

It seems my OS is unable to recognise the option "no_magic_root"
Does it works for RHEL?

cbtshare · 02-16-2012, 01:56 AM

the following works for rhel5 and above, the old pam settings you had work for rhel4

Code:


auth required pam_env.so
auth required pam_tally.so onerr=fail magic_root
auth required pam_tally.so deny=3 magic_root
auth sufficient pam_unix.so likeauth nullok
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_succeed_if.so uid < 100 quiet
account required pam_permit.so

password requisite pam_cracklib.so retry=3 minlen=8 dcredit=0 ucredit=0 lcredit=0 ocredit=0 type=0
password sufficient pam_unix.so remember=7 use_authtok md5 shadow
password required pam_deny.so

session required pam_limits.so
session required pam_unix.so

deep27ak · 02-16-2012, 03:03 AM

I am still not able get any positive o/p

Code:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so
auth        required      pam_tally.so deny=3 magic_root

account     required      pam_tally.so
account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

cbtshare · 02-16-2012, 02:22 PM

the exact code in pam works, I'd suggest, make a bakup of your original and remove everything a enter the following.It works..

Quote:

auth required pam_env.so
auth required pam_tally.so onerr=fail magic_root
auth required pam_tally.so deny=3 magic_root
auth sufficient pam_unix.so likeauth nullok
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_succeed_if.so uid < 100 quiet
account required pam_permit.so

password requisite pam_cracklib.so retry=3 minlen=8 dcredit=0 ucredit=0 lcredit=0 ocredit=0 type=0
password sufficient pam_unix.so remember=7 use_authtok md5 shadow
password required pam_deny.so

session required pam_limits.so
session required pam_unix.so

deep27ak · 02-17-2012, 12:50 AM

I used your config file instead of mine but still no success

as it prompts me for 7 times before session lock

Code:

auth required pam_env.so
auth required pam_tally.so onerr=fail magic_root
auth required pam_tally.so deny=3 magic_root
auth sufficient pam_unix.so likeauth nullok
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_succeed_if.so uid < 100 quiet
account required pam_permit.so

password requisite pam_cracklib.so retry=3 minlen=8 dcredit=0 ucredit=0 lcredit=0 ocredit=0 type=0
password sufficient pam_unix.so remember=7 use_authtok md5 shadow
password required pam_deny.so

session required pam_limits.so
session required pam_unix.so

Code:

#cat /var/log/secure
Feb 17 17:20:01 server crond[3111]: pam_unix(crond:session): session closed for user root
Feb 17 17:30:01 server crond[3129]: pam_unix(crond:session): session opened for user root by (uid=0)
Feb 17 17:30:01 server crond[3129]: pam_unix(crond:session): session closed for user root
Feb 17 17:31:23 server sshd[3133]: Failed password for root from 10.10.10.30 port 51509 ssh2
Feb 17 17:31:25 server last message repeated 5 times
Feb 17 17:31:25 server sshd[3134]: Disconnecting: Too many authentication failures for root
Feb 17 17:40:01 server crond[3149]: pam_unix(crond:session): session opened for user root by (uid=0)
Feb 17 17:40:01 server crond[3149]: pam_unix(crond:session): session closed for user root
Feb 17 17:47:08 server sshd[3161]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.10.30  user=root
Feb 17 17:47:11 server sshd[3161]: Failed password for root from 10.10.10.30 port 51642 ssh2
Feb 17 17:47:20 server last message repeated 3 times
Feb 17 17:47:22 server sshd[3162]: Connection closed by 10.10.10.30
Feb 17 17:47:22 server sshd[3161]: PAM 3 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.10.30  user=root
Feb 17 17:47:22 server sshd[3161]: PAM service(sshd) ignoring max retries; 4 > 3
Feb 17 17:47:27 server gdm[3056]: pam_unix(gdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=root
Feb 17 17:47:42 server last message repeated 3 times
Feb 17 17:47:56 server sshd[3165]: Accepted password for root from 10.10.10.30 port 51644 ssh2
Feb 17 17:47:56 server sshd[3165]: pam_unix(sshd:session): session opened for user root by (uid=0)

cbtshare · 02-17-2012, 04:50 PM

change this line

Quote:

password sufficient pam_unix.so remember=7 use_authtok md5 shadow

to

Quote:

password sufficient pam_unix.so remember=3 use_authtok md5 shadow

see if that does it

zer0python · 02-17-2012, 05:26 PM

If you are only checking by ssh, it may be that (assumption ->) OpenSSH is not configured to use pam. (The default UsePAM value is set to `no'[1]) You can validate using grep like so:

Code:

$ grep UsePAM /etc/ssh/sshd_config # The location of sshd_config may differ on your machine.
UsePAM yes
$

If OpenSSH is not configured to use pam then the pam_tally module will never be triggered.
update your sshd_config file if needed, and restart sshd.

[1] man 5 sshd_config # search for UsePAM

deep27ak · 02-27-2012, 12:29 AM

Sorry for the late reply

Quote:

Originally Posted by cbtshare

change this line
to
see if that does it

Nothing seems to be working

Now I was trying the same on my centos6 machine and the logs are quite surprising

Code:

#cat /var log/secure
Feb 27 11:39:54 server sshd[3677]: Failed password for root from 10.10.10.30 port 57619 ssh2
Feb 27 11:44:53 server sshd[3704]: Failed password for root from 10.10.10.30 port 57744 ssh2
Feb 27 11:44:54 server sshd[3704]: Failed password for root from 10.10.10.30 port 57744 ssh2
Feb 27 11:44:54 server sshd[3704]: Failed password for root from 10.10.10.30 port 57744 ssh2
Feb 27 11:44:57 server sshd[3705]: Connection closed by 10.10.10.30
Feb 27 11:45:54 server sshd[3710]: Failed password for root from 10.10.10.30 port 57752 ssh2
Feb 27 11:45:54 server sshd[3710]: Failed password for root from 10.10.10.30 port 57752 ssh2
Feb 27 11:45:55 server sshd[3710]: Failed password for root from 10.10.10.30 port 57752 ssh2
Feb 27 11:45:55 server sshd[3710]: Failed password for root from 10.10.10.30 port 57752 ssh2
Feb 27 11:45:56 server sshd[3711]: Disconnecting: Too many authentication failures for root
Feb 27 11:45:56 server sshd[3710]: Failed password for root from 10.10.10.30 port 57752 ssh2
Feb 27 11:47:52 server sshd[3717]: Failed password for root from 10.10.10.30 port 57756 ssh2
Feb 27 11:47:53 server sshd[3717]: Failed password for root from 10.10.10.30 port 57756 ssh2
Feb 27 11:47:53 server sshd[3717]: Failed password for root from 10.10.10.30 port 57756 ssh2
Feb 27 11:47:53 server sshd[3717]: Failed password for root from 10.10.10.30 port 57756 ssh2
Feb 27 11:47:54 server sshd[3717]: Failed password for root from 10.10.10.30 port 57756 ssh2
Feb 27 11:47:54 server sshd[3718]: Disconnecting: Too many authentication failures for root
Feb 27 11:48:11 server pam: gdm-password[2029]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=root
Feb 27 11:48:18 server pam: gdm-password[3722]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=root
Feb 27 11:48:23 server pam: gdm-password[3723]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=root
Feb 27 11:48:30 server pam: gdm-password[3724]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=root
Feb 27 11:48:35 server pam: gdm-password[3725]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=root
Feb 27 11:48:39 server pam: gdm-password[3727]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=root
Feb 27 11:48:45 server pam: gdm-password[3728]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=root
Feb 27 11:50:28 server sshd[3737]: Failed password for root from 10.10.10.30 port 57761 ssh2
Feb 27 11:50:28 server sshd[3737]: Failed password for root from 10.10.10.30 port 57761 ssh2
Feb 27 11:50:29 server sshd[3737]: Failed password for root from 10.10.10.30 port 57761 ssh2
Feb 27 11:50:29 server sshd[3737]: Failed password for root from 10.10.10.30 port 57761 ssh2
Feb 27 11:50:29 server sshd[3738]: Disconnecting: Too many authentication failures for root
Feb 27 11:50:29 server sshd[3737]: Failed password for root from 10.10.10.30 port 57761 ssh2
Feb 27 11:51:36 server sshd[3745]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.10.30  user=root
Feb 27 11:51:38 server sshd[3745]: Failed password for root from 10.10.10.30 port 57764 ssh2
Feb 27 11:51:39 server sshd[3745]: Failed password for root from 10.10.10.30 port 57764 ssh2
Feb 27 11:51:39 server sshd[3745]: Failed password for root from 10.10.10.30 port 57764 ssh2
Feb 27 11:51:40 server sshd[3745]: Failed password for root from 10.10.10.30 port 57764 ssh2
Feb 27 11:51:40 server sshd[3745]: Failed password for root from 10.10.10.30 port 57764 ssh2
Feb 27 11:51:40 server sshd[3745]: Failed password for root from 10.10.10.30 port 57764 ssh2
Feb 27 11:51:40 server sshd[3746]: Disconnecting: Too many authentication failures for root
Feb 27 11:51:57 server sshd[3750]: Failed password for root from 10.10.10.30 port 57765 ssh2
Feb 27 11:51:57 server sshd[3750]: Failed password for root from 10.10.10.30 port 57765 ssh2
Feb 27 11:51:57 server sshd[3750]: Failed password for root from 10.10.10.30 port 57765 ssh2
Feb 27 11:51:58 server sshd[3750]: Failed password for root from 10.10.10.30 port 57765 ssh2
Feb 27 11:51:58 server sshd[3751]: Disconnecting: Too many authentication failures for root
Feb 27 11:51:58 server sshd[3750]: Failed password for root from 10.10.10.30 port 57765 ssh2

why is it every time changing the port no. I have not changed the default ssh port no. so it should be using 22 but here I see something different?

I followed this blog and made ferw changes pam_tally2.so and the list of files showed me that my pam uses pam_tally2 instead of pam_tally
http://www.linuxarticles.org/2010/10...ogin-attempts/

Code:

#cat system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so
auth        required      pam_tally2.so deny=3 onerr=fail unlock_time=900

account     required      pam_tally2.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

Code:

# pam_tally2 -u root
Login           Failures Latest failure     From
root                1    02/27/12 11:51:36  10.10.10.30

what should I do to make it working