Wednesday, January 21, 2009

Lock user account on frequent login failures

Add the following two lines highlighted in blue to the /etc/pam.d/system-auth file as shown below:
auth required pam_env.so
auth required pam_tally.so onerr=fail per_user deny=3 reset
auth required pam_access.so
auth sufficient pam_unix.so likeauth nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account required pam_tally.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

The first added line counts failed login and failed su attempts for each user. The default location for attempted accesses is recorded in /var/log/faillog.
The second added line specifies to lock accounts automatically after 5 failed login or su attempts (deny=5). The counter will be reset to 0 (reset) on successful entry if deny=n was not exceeded.
But you don't want system or shared accounts to be locked after too many login failures (denial of service attack). To exempt system and shared accounts from the deny=n parameter. The per_user parameter instructs the module NOT to use the deny=n limit for accounts where the maximum number of login failures is set explicitly. For example:
# faillog -u root -m -1
# faillog -u root
Username Failures Maximum Latest
oracle 0 -1 Fri Dec 10 23:57:55 -0600 2005 on unknown
The faillog command with the option "-m -1" has the effect of not placing a limit on the number of failed logins. To instruct the module to activate the deny=n limit for this account again, run:
# faillog -u -m 0
To see failed login attempts, run:
# faillog
To unlock an account after too many login failures, run:
# faillog -u -r
Make sure to test these changes thoroughly on your system using e.g. ssh and su, and make sure root does not get locked!
To lock/unlock accounts manually, you can run one of the following commands:
# passwd -l
# usermod -L
# passwd -u
# usermod -U

No comments: