maxlogins

Sun Apr 30 01:20:16 UTC 2006

On Sat, 29 Apr 2006 20:11:06 -0400
"Darryl Clarke" <smartssa at gmail.com> wrote:

> On 4/29/06, Daniel Carrera <daniel.carrera at zmsl.com> wrote:
> > Daniel Carrera wrote:
> > >> OK - A google search on "linux limit failed logins " turned up
> > >> http://www.die.net/doc/linux/man/man8/faillog.8.html
> > >
> > > Weird... that man page is different from the one on my system. In
> > > particular, my man page doesn't mention the crucial -l option, even
> > > though the -l flag actually works.
> >
> > Weireder yet, I can't get it to work on my system. Maybe I'm using it wrong.
> >
> > # This should make all accounts disable for 5min after a failed login.
> > sudo faillog -l 300
> >
> > Then I ssh to my own box and type bogus passwords until I'm kicked out.
> > I inmediately ssh again (before the 5min are up), type the correct
> > password and I'm allowed in. It looks like faillog didn't do anything.
> >
> > :-(
> 
> Hi,
> 
> I just did a quick check and sure enough, ssh failures aren't being
> tally'd up by default in /var/log/faillog
> 
> I attempted with a bogus password and noticed that running 'faillog'
> didn't show anything.
> 
> To enable it, I added a line to /etc/pam.d/common-auth
> ----
> #
> auth    required        pam_tally.so
> auth    required        pam_unix.so nullok_secure
> ----
> 
> Then a failed login attempt to ssh ended up in 'faillog' output.
> 
> And, as this shows:
> http://cvs.sourceforge.net/viewcvs.py/pam/Linux-PAM/modules/pam_tally/README?rev=1.4
> 
> There are a few options to throttle/deny access using pam_tally...
> 

These might be of interest:

http://denyhosts.sourceforge.net/
http://www.howtoforge.com/preventing_ssh_dictionary_attacks_with_denyhosts

Peter

-- 

"Hyperlinks subvert hierarchy."

-The Cluetrain Manifesto