Linux Server hardening is one of the important task for sysadmins when it comes to production servers. It is recommended that one should enable login or ssh attempts policy, means user’s account should be locked automatically after n numbers of incorrect login or ssh attempts.
In Linux distribution like CentOS, RHEL and Fedora this is achieved by using pam module “pam_faillock” and for Debian like distributions, this can be achieved using “pam_tally2” pam module.
In this tutorial we will learn how to lock user accounts after n incorrect login attempts in CentOS , RHEL, Fedora, Debian & Ubuntu
For CentOS / RHEL / Fedora
Add the following lines in two files /etc/pam.d/password-auth & /etc/pam.d/system-auth,
auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600 auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 account required pam_faillock.so
Where,
- Audit –> it will enable audit logs for user login attempt in secure log file
- Deny=3 –> it will lock the user after 3 unsuccessful login attempts, you can change this number as per your requirement
- unlock_time=600 –> it means user’s account will remain locked for 10 minutes (600 seconds), if you want user account to be locked forever then set this parameter as “unlock_time=never“
Note: To lock root account as well after n incorrect logins, add “even_deny_root” parameter in auth section lines, example is shown below
auth required pam_faillock.so preauth silent audit even_deny_root deny=3 unlock_time=600 auth [default=die] pam_faillock.so authfail audit even_deny_root deny=3 unlock_time=600
As we can see above, we have two lines for auth section and one line for account section, order is very important while adding these lines to the files. Example is demonstrated below where these lines needs to be added,
[root@linuxtechi ~]# vi /etc/pam.d/password-auth
[root@linuxtechi ~]# vi /etc/pam.d/system-auth
After making changes in both the files, restart the ssh service using below systemctl command,
[root@linuxtechi ~]# systemctl restart sshd
Let’s do the testing whether user account will be locked after three unsuccessful login attempts or not.
Let’s assume we have a local account with name “pkumar“, we will try to ssh our Linux system with this account with incorrect passwords,
$ ssh pkumar@192.168.29.206 pkumar@192.168.29.206's password: pkumar@192.168.29.206's password: pkumar@192.168.29.206's password: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
Now view secure logs using tail command,
[root@linuxtechi ~]# tail /var/log/secure
Above logs confirms that account has been locked after three incorrect login attempts, let’s verify from faillock command as well,
[root@linuxtechi ~]# faillock --user pkumar pkumar: When Type Source Valid 2019-12-15 01:50:39 RHOST 192.168.29.157 V 2019-12-15 01:50:43 RHOST 192.168.29.157 V 2019-12-15 01:50:47 RHOST 192.168.29.157 V [root@linuxtechi ~]#
To flush or clear these unsuccessful login attempts, execute the following faillock command,
[root@linuxtechi ~]# faillock --user pkumar --reset [root@linuxtechi ~]# faillock --user pkumar pkumar: When Type Source Valid [root@linuxtechi ~]#
Let’s move to Debian like distribution (Ubuntu, Linux Mint and Debian)
For Debian, Ubuntu and Linux Mint
Add the following line in the file “/etc/pam.d/common-auth”,
auth required pam_tally2.so onerr=fail deny=3 unlock_time=600 audit
if you wish to lock root account as well after three incorrect logins then add the following line ,
auth required pam_tally2.so onerr=fail deny=3 unlock_time=600 audit even_deny_root root_unlock_time=600
Where:
- Onerr=fail –> In case of error issue a fail
- deny=3 –> After three unsuccessful login attempts account will be locked
- unlock_time=600 –> It means account will remain locked for 10 minutes or 600 seconds
- audit –> It means audit the logs in audit.log file
- even_deny_root –> Lock the root account after three incorrect logins
- root_unlock_time=600 –> Root account will remain locked for 10 minutes or 600 seconds after 3 unsuccessful login attempts
Let’s add above discuss line in file “/etc/pam.d/common-auth” using vi editor,
pkumar@ubuntu-linux:~$ sudo vi /etc/pam.d/common-auth
After making the above changes, save and exit the file and restart ssh service using following command,
pkumar@ubuntu-linux:~$ sudo systemctl restart sshd
Let’s test whether accounts are locked after 3 incorrect ssh logins,
Let’s assume we have a local “devops” user, we will try to ssh the Ubuntu system with incorrect passwords
$ ssh devops@192.168.29.107 devops@192.168.29.107's password: devops@192.168.29.107's password: d evops@192.168.29.107's password: Permission denied (publickey,password).
Now view auth log file to see whether incorrect login attempts are captured or not,
pkumar@ubuntu-linux:~$ tail /var/log/auth.log
Above logs confirms that account has been locked, let’s verify from pam_tally2 command,
pkumar@ubuntu-linux:~$ sudo pam_tally2 -u devops Login Failures Latest failure From devops 6 12/15/19 07:45:02 192.168.29.157 pkumar@ubuntu-linux:~$
To clear these unsuccessful login attempts use the following pam_tally2 command,
pkumar@ubuntu-linux:~$ sudo pam_tally2 -u devops --reset Login Failures Latest failure From devops 6 12/15/19 07:45:02 192.168.29.157 pkumar@ubuntu-linux:~$ pkumar@ubuntu-linux:~$ sudo pam_tally2 -u devops Login Failures Latest failure From devops 0 pkumar@ubuntu-linux:~$
That’s conclude the article, please don’t hesitate to share the feedback and comments.
from Linuxtechi https://ift.tt/2PAmkBz
0 Comments