Pam question maybe?
Alexander Dalloz
alexander.dalloz at uni-bielefeld.de
Thu Jul 29 16:37:54 UTC 2004
Am Do, den 29.07.2004 schrieb Jake McHenry um 18:18:
> my server got hacked on monday I'm pretty sure, files were changed, rc.local and rc.sysinit
> were over written. Anyways, is there a way that I can lock out the system after say 3 unsucessful
> login attempts? This would be remotely only, so I can log in at the console to reenable remote logins?
> Jake McHenry
Hacked? Thats pretty bad. Did you use insecure passwords? Did you not
keep your system up to date? I am highly interested on how an attacker
could enter your system.
If you are hacked, then there is no way around a clean new install!
Don't try to find things changed - you won't find all backdoors.
Yes, you can use PAM to limit the tries for logins. Patch your
/etc/pam.d/system-auth file with
$ diff -Nur /etc/pam.d/system-auth system-auth
--- /etc/pam.d/system-auth 2004-05-30 19:05:10.000000000 +0200
+++ system-auth 2004-07-29 18:28:06.085452612 +0200
@@ -4,7 +4,9 @@
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth
nullok
auth required /lib/security/$ISA/pam_deny.so
+auth required /lib/security/$ISA/pam_tally.so onerr=fail
no_magic_root
+account required /lib/security/$ISA/pam_tally.so deny=3
no_magic_root reset
account sufficient /lib/security/$ISA/pam_succeed_if.so uid <
100
account required /lib/security/$ISA/pam_unix.so
You see it adds 2 lines. Make a copy of system-auth to a safe place, and
do the changes with great care. You can either make the changes by hand
or do it using the patch command: cd /etc/pam.d; cat
/path/to/the/patch/from/above < patch -p1
Then run "touch /var/log/faillog; chmod 600 /var/log/faillog; chown
root". Of course you must be root for all these steps.
You can use the commands "faillog" and "pam_tally" to handle the
restrictions with failed logins. Both commands let you show the number
of failed logins per user account and let you reset the counter.
Alexander
--
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.6-1.435.2.3.ad.umlsmp
Serendipity 18:22:24 up 3 days, 3:29, load average: 0.82, 0.66, 0.43
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20040729/4abda5ed/attachment-0001.sig>
More information about the fedora-list
mailing list