Thursday, September 20, 2012

Linux ssh login fail counter using pam_tally2.so


Configuration:

1.  Configure /etc/pam.d/sshd ONLY
Add the following line to the auth section:
auth       required    pam_sepermit.so
auth       required     pam_tally2.so even_deny_root (deny=5 unlock_time=60 even_deny_root)
※must be exactly under pam_sepermit.so(only 1 line after)
Choice 2:

2. Configure /etc/pam.d/password-auth ONLY

auth        required      pam_env.so
auth        required      pam_tally2.so even_deny_root

※must be exactly under pam_sepermit.so(only 1 line after)

--------------------------------------------------------

Action:Someone Failed Attemp times reach 3. Do something:

fail_log_watch:

#!/bin/bash
pam_tally2|grep -v Login | while read line
do
        test -z "$line" && exit
        FAIL_ARRAY=($line)
        FAIL_ACCOUNT=${FAIL_ARRAY[0]}
        FAIL_COUNT="${FAIL_ARRAY[1]}"
        FAIL_DATE="${FAIL_ARRAY[2]} ${FAIL_ARRAY[3]}"
        FAIL_IP=${FAIL_ARRAY[4]}
        if (($FAIL_COUNT>=3))
        then
        #==========DO SOMETHING HERE==========
                Message="Account:\"${FAIL_ACCOUNT}\", Failed Login OVER 3 times at ${FAIL_DATE} from ${FAIL_IP}"
                echo ${Message}
        #==========DO SOMETHING HERE==========
        #After DO something reset it
        pam_tally2 -u ${FAIL_ACCOUNT} --reset
        fi
done

------------------------------------------------------------
Useful Reference Usage:
Ref. http://www.unix.com/aix/107866-how-send-alert-email-whenever-failed-login.html

 vi logwatch.sh

LOG=/logs/userauth.log
echo "\n\n" >> ${LOG}
tail -1 -f ${LOG} |
while read LINE
do
case "${LINE}" in
failed)
echo ${LINE} | mailx -s "Failed login" me@mail.com ;;
esac
done

 --------------------------------------------------
/etc/pam.d/sshd

#%PAM-1.0
auth       required     pam_tally2.so deny=5 unlock_time=60 even_deny_root
auth       required     pam_sepermit.so
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)