Pam question maybe?

Alexander Dalloz alexander.dalloz at uni-bielefeld.de
Thu Jul 29 16:37:54 UTC 2004 

Am Do, den 29.07.2004 schrieb Jake McHenry um 18:18:

> my server got hacked on monday I'm pretty sure, files were changed, rc.local and rc.sysinit
> were over written. Anyways, is there a way that I can lock out the system after say 3 unsucessful
> login attempts? This would be remotely only, so I can log in at the console to reenable remote logins?

> Jake McHenry

Hacked? Thats pretty bad. Did you use insecure passwords? Did you not
keep your system up to date? I am highly interested on how an attacker
could enter your system.

If you are hacked, then there is no way around a clean new install!
Don't try to find things changed - you won't find all backdoors.

Yes, you can use PAM to limit the tries for logins. Patch your
/etc/pam.d/system-auth file with

$ diff -Nur /etc/pam.d/system-auth system-auth
--- /etc/pam.d/system-auth      2004-05-30 19:05:10.000000000 +0200
+++ system-auth 2004-07-29 18:28:06.085452612 +0200
@@ -4,7 +4,9 @@
 auth        required      /lib/security/$ISA/pam_env.so
 auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth
nullok
 auth        required      /lib/security/$ISA/pam_deny.so
+auth        required      /lib/security/$ISA/pam_tally.so onerr=fail
no_magic_root
  
+account     required      /lib/security/$ISA/pam_tally.so deny=3
no_magic_root reset
 account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid <
100
 account     required      /lib/security/$ISA/pam_unix.so

You see it adds 2 lines. Make a copy of system-auth to a safe place, and
do the changes with great care. You can either make the changes by hand
or do it using the patch command: cd /etc/pam.d; cat
/path/to/the/patch/from/above < patch -p1

Then run "touch /var/log/faillog; chmod 600 /var/log/faillog; chown
root". Of course you must be root for all these steps.

You can use the commands "faillog" and "pam_tally" to handle the
restrictions with failed logins. Both commands let you show the number
of failed logins per user account and let you reset the counter.

Alexander


-- 
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.6-1.435.2.3.ad.umlsmp 
Serendipity 18:22:24 up 3 days, 3:29, load average: 0.82, 0.66, 0.43 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20040729/4abda5ed/attachment-0001.sig>

More information about the fedora-list mailing list