Lock users account after X attempts

Bob McClure Jr robertmcclure at earthlink.net
Wed Aug 3 00:47:20 UTC 2005 

On Tue, Aug 02, 2005 at 06:30:16PM -0600, redhat at buglecreek.com wrote:
> On Mon, 1 Aug 2005 21:38:00 -0500, "Bob McClure Jr"
> <robertmcclure at earthlink.net> said:
> > On Mon, Aug 01, 2005 at 06:14:32PM -0600, redhat at buglecreek.com wrote:
> > > I need a way to lock a user account after 5 attempts.  I know the
> > > pam_tally module will do this, but it also applies to system accounts
> > > and would require the use of the faillog command to get around this ( I
> > > think).  I would like to find another option to do this.  Also, it would
> > > be desirable to be able to lock it for a certain amount of time (say 15
> > > minutes.  Then allow users to try again.
> > > 
> > > Redhat ES 4
> > > 
> > > Thank You
> > 
> > You don't mention where the attempts are being made, but I will assume
> > you are trying to fend off the brute-force bad-password guessing
> > attack on sshd.  I found a solution that is working fine on five
> > Fedora Core machines (some 1, 2, 3).  I started with
> > 
> >   http://www.pettingers.org/code/SSHBlack.html
> > 
> > It works by watching the log of your choice, usually secure or
> > messages, and adding an IPtables rule to block the perp after N tries.
> > I hacked the script to instead stick an entry in /etc/hosts.deny to
> > block the perp, since some of the machines aren't running iptables.
> > Actually, I put the entry in an auxilliary file that the hosts.deny
> > file "includes".  The script does have an adjustable expiry mechanism
> > to release the block.
> > 
> > Let me know if that's what you need and I'll send you my hacked script
> > and a set of instructions for implementing it.
> > 
> > I might also mention that I block all non-North-American IP address
> > ranges in hosts.deny.  And I know it's probably like peeing in the
> > ocean, but I trace every transgressor through ARIN's whois
> > 
> > http://www.arin.net/whois/index.html
> > 
> > and send a nastygram to the abuse contact for that network to advise
> > him he has a compromised machine on his network.
> > 
> > Cheers,
> > -- 
> > Bob McClure, Jr.
> 
> Thanks
> 
> Yes, that seems like it may be a good solution.  If you could send me
> the details I would appreciate it.

[I have sent that directly to him.]

> I will most likely need to run it on
> multiple machines.  I have also implemented password strengthening using
> pam modules (cracklib, tally, unix) that should also help.  Time to be
> extra paranoid.  While we are on the subject, any suggestions on log
> monitoring tools that will catch excessive login attempts. I know a few,
> but was curious what others are using.

I use logwatch.  It may be in your distribution, but if not, go to the
source, Luke:

http://www2.logwatch.org:81/

The latest version is better than what is in the current RPM.

Set it up to run from /etc/cron.daily/, so that you get a report every
morning.

Cheers,
-- 
Bob McClure, Jr.             Bobcat Open Systems, Inc.
robertmcclure at earthlink.net  http://www.bobcatos.com
God doesn't have (or need) a Plan B.

More information about the Redhat-install-list mailing list