[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SSH monitoring



I've just installed pam_abl and tested it ... seems to work, but I've got a question.
I put the pam_abl line :

auth required /lib/security/pam_abl.so config=/etc/security/pam_abl.conf

in /etc/pam.d/system-auto. The problem is that at the top of the system-auto
file there is the warning:

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.

Now my question, where can I put the pam_abl line so that it gets automatically
placed into system-auto each time authconfig is run?

Thanks
RME


Neil Cherry wrote:

CHAT KHODA wrote:

Dear friends,
I wish to :

1- Monitor all of the connections(or tries) to my SSH
port including the source IP address.


permit() {
    # I want to log just the startup of the conversation
    /sbin/iptables -A INPUT -s ${1} -p tcp --dport 22 -j LOG --syn \
                   --log-level  info --log-prefix "iptables permit: " \
                   --log-ip-options
    /sbin/iptables -A INPUT -s ${1} -p tcp --dport 22 -j ACCEPT
}


# Deny these sites access to my machine
deny() {
    /sbin/iptables -A INPUT -s ${1} -p tcp --dport 22 -j LOG \
                   --log-level alert --log-prefix "iptables deny: " \
                   --log-ip-options
    /sbin/iptables -A INPUT -s ${1} -p tcp --dport 22 -j DROP
}


# =[ Flush the tables completely ]============================================
/sbin/iptables -F

# =[ Permit list ]============================================================
#permit 127.0.0.0/8             # Local stuff
permit 10.0.0.0/8               # Local stuff
permit 172.16.0.0/12            # Local stuff
permit 192.168.0.0/16           # Local stuff

# =[ Deny list ]==============================================================
deny 0.0.0.0/0          # Deny everyone else

The logging part is probably what you want most but the above may
prove to be useful.

2- Limit the numer of unsuccessfull attempts to login
to just two attempts per session.


Take a look at pam_abl ( http://www.hexten.net/pam_abl/ ). Now that
i use the above I've had no incidents of needing pam_abl. That doesn't
mean I won't.



--
This email message is for the sole use of the intended recipient(s) and may contain confidential information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]