LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-22-2004, 10:54 AM   #1
wvrhlu
Member
 
Registered: Mar 2003
Location: Eastern Panhandle of WV
Distribution: RH 7.3
Posts: 39

Rep: Reputation: 15
Restricting Login Access


Greetings,

I am currently trying to lock down my system a little bit better than just the default settings. I am trying to restrict access to the system by implementing restrictions on the number of logins and teh grace period between password authentication.

I had made changes to my test box that worked just fine, but when I made the same changes to another test box, same configuration, version, etc, it doesn't seem to want to work.

I made changes to login.defs (though I've read that it's been depricated):

LOGIN_RETRIES 3
LOGIN_TIMEOUT 60

to sshd_config:

LoginGraceTime 60
PermitRootLogin no

to pam.d/

auth required /lib/security/pam_tally.so onerr=fail no_magic_root
account required /lib/security/pam_tally.so deny=3 no_magic_root reset

and security/access.conf

-:wheel:ALL EXCEPT LOCAL


However, when I ssh to the box and fat-finger teh login, the password prompt is returned again and again, rather than disconnecting the session after 3 attempts.

I restarted sshd and xinetd , but no luck. Any ideas?
 
Old 11-22-2004, 11:34 AM   #2
bignerd
Member
 
Registered: Nov 2004
Distribution: FC1, Gentoo, Mdk 8.1, RH7-8-9, Knoppix, Zuarus rom 3.13
Posts: 98

Rep: Reputation: 15
I do not believe login.defs defines the actions for your ssh daemon (sshd).

You could try adding the line:

password required /lib/security/pam_cracklib.so retry=3

To your sshd pam config file located in:

/etc/pam.d/sshd

Ideally that line should go just above any other password line. You'll need to stop/start your sshd for this to take effect.

Hope this helps.

-b
 
Old 11-22-2004, 11:47 AM   #3
wvrhlu
Member
 
Registered: Mar 2003
Location: Eastern Panhandle of WV
Distribution: RH 7.3
Posts: 39

Original Poster
Rep: Reputation: 15
Thanks for the info, but I don't think that's it. I don't have that on my other test box and it works fine. Just for giggles, I did add the line to my other box, but the change is not effective.
 
Old 11-22-2004, 01:08 PM   #4
bignerd
Member
 
Registered: Nov 2004
Distribution: FC1, Gentoo, Mdk 8.1, RH7-8-9, Knoppix, Zuarus rom 3.13
Posts: 98

Rep: Reputation: 15
That's very interesting. This is for RH 7.3?

-b
 
Old 11-22-2004, 01:15 PM   #5
wvrhlu
Member
 
Registered: Mar 2003
Location: Eastern Panhandle of WV
Distribution: RH 7.3
Posts: 39

Original Poster
Rep: Reputation: 15
Nope. RHEL 3.0 (RedHat Enterprize Linux)

Last edited by wvrhlu; 11-22-2004 at 03:00 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Restricting access Menestrel Linux - Newbie 1 06-07-2005 09:17 AM
Restricting SSH access by IP sooner5150 Linux - Security 3 11-18-2004 12:09 PM
restricting login farhan Linux - Security 3 04-22-2004 05:23 AM
Restricting SSH Access ErocM Linux - Security 4 02-20-2004 11:52 AM
Restricting user login abbey_lincoln Linux - Security 1 03-26-2002 12:11 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:15 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration