Locking user accounts after a certain number of login attempts is a nice security feature to have & is implemented in many enterprise environments. In this article we implement this feature using pam-faillock & pam-tally2 modules.
1. Using pam-faillock:
To lock a user account for 10 minutes after 4 failed login attempts modify the /etc/pam.d/password-auth & /etc/pam.d/system-auth files as follows:
[root@rtest pam.d]# cat system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faillock.so preauth silent audit deny=4 unlock_time=600
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth [default=die] pam_faillock.so authfail audit deny=4
auth sufficient pam_faillock.so authsucc audit deny=4
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_faillock.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=5 type= minlen=8 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember=10
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
To test this out, I created a user called testuser & logged in & supplied the incorrect password more than 4 times & the account was locked. This can be confirmed from the /var/log/secure file:
[root@rtest ~]# grep faillock /var/log/secure
Sep 6 19:06:42 rtest su: pam_faillock(su-l:auth): Consecutive login failures for user test account temporarily locked
Sep 6 19:45:49 rtest su: pam_faillock(su-l:auth): Consecutive login failures for user test1 account temporarily locked
Sep 7 14:53:00 rtest sshd[6814]: pam_faillock(sshd:auth): Consecutive login failures for user testuser account temporarily locked
To view authentication failure records type: faillock --user <user name>
[root@rtest ~]# faillock --user testuser
testuser:
When Type Source Valid
2016-09-07 15:01:49 RHOST jump V
2016-09-07 15:02:00 RHOST jump V
2016-09-07 15:02:07 RHOST jump V
2016-09-07 15:02:16 RHOST jump V
1. Using pam-faillock:
To lock a user account for 10 minutes after 4 failed login attempts modify the /etc/pam.d/password-auth & /etc/pam.d/system-auth files as follows:
[root@rtest pam.d]# cat system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faillock.so preauth silent audit deny=4 unlock_time=600
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth [default=die] pam_faillock.so authfail audit deny=4
auth sufficient pam_faillock.so authsucc audit deny=4
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_faillock.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=5 type= minlen=8 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember=10
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
To test this out, I created a user called testuser & logged in & supplied the incorrect password more than 4 times & the account was locked. This can be confirmed from the /var/log/secure file:
[root@rtest ~]# grep faillock /var/log/secure
Sep 6 19:06:42 rtest su: pam_faillock(su-l:auth): Consecutive login failures for user test account temporarily locked
Sep 6 19:45:49 rtest su: pam_faillock(su-l:auth): Consecutive login failures for user test1 account temporarily locked
Sep 7 14:53:00 rtest sshd[6814]: pam_faillock(sshd:auth): Consecutive login failures for user testuser account temporarily locked
To view authentication failure records type: faillock --user <user name>
[root@rtest ~]# faillock --user testuser
testuser:
When Type Source Valid
2016-09-07 15:01:49 RHOST jump V
2016-09-07 15:02:00 RHOST jump V
2016-09-07 15:02:07 RHOST jump V
2016-09-07 15:02:16 RHOST jump V
To reset authentication failure records type: faillock --reset --user <user name>
faillock --reset --user testuser
2. Using pam_tally2:
To lock a user account for 5 minutes after 3 failed login attempts modify the /etc/pam.d/password-auth & /etc/pam.d/system-auth files as follows:
[root@centdb /]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally2.so deny=3 onerr=fail unlock_time=300
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_tally2.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
[root@centdb /]#
To test this out, I created a user called testuser & logged in & supplied the incorrect password more than 3 times & the account was locked. This can be confirmed from the /var/log/secure file:
Sep 6 23:40:02 centdb sshd[4706]: Disconnecting: Too many authentication failures for testuser
Sep 6 23:40:02 centdb sshd[4704]: Failed password for testuser from 192.168.10.1 port 59291 ssh2
Sep 6 23:40:02 centdb sshd[4704]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=sbill1b.syd.hutch.com.au user=testuser
Sep 6 23:40:02 centdb sshd[4704]: PAM service(sshd) ignoring max retries; 6 > 3
Sep 6 23:41:41 centdb sshd[4734]: pam_tally2(sshd:auth): user testuser (502) tally 7, deny 3
To check the list of users making maximum incorrect login attempts, type:
[root@centdb /]# pam_tally2 -u testuser
Login Failures Latest failure From
testuser 0
[root@centdb /]#
To reset the failed login counter type: pam_tally2 -r -u <user name>
[root@centdb /]# pam_tally2 -r -u testuser
Login Failures Latest failure From
testuser 7 09/06/16 23:41:41 test.com.in
Apart from the user locking features mentioned explained above another user level security feature is password complexity.
This can be implemented by replacing the line:
password requisite pam_cracklib.so try_first_pass retry=3 type=
with the following line:
password requisite pam_cracklib.so try_first_pass retry=5 type= minlen=8 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1
in password-atuh & system-auth files.
Before I end this article there are two little ssh tricks I'd like to mention here for another layer of security:
1. Add the following lines in you sshd_config file & restart the sshd service:
ClientAliveInterval 60
ClientAliveCountMax 0
This will disconnect any ssh sessions which have remained idle for more than 60 sec.
2. Add the following lines in sshd_config file & restart the sshd service:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
MACs hmac-sha1,hmac-ripemd160
Enabling these ciphers & MACs provides a layer of protection against some openssh related vulnerabilities out there.
Hi, followed pam_faillock steps as mentioned above, logs are getting generated in /var/log/secure but account is not getting locked. Able to login account after 4 failures immediately.
ReplyDelete