Lock users account after X attempts
Bob McClure Jr
robertmcclure at earthlink.net
Tue Aug 2 02:38:00 UTC 2005
On Mon, Aug 01, 2005 at 06:14:32PM -0600, redhat at buglecreek.com wrote:
> I need a way to lock a user account after 5 attempts. I know the
> pam_tally module will do this, but it also applies to system accounts
> and would require the use of the faillog command to get around this ( I
> think). I would like to find another option to do this. Also, it would
> be desirable to be able to lock it for a certain amount of time (say 15
> minutes. Then allow users to try again.
>
> Redhat ES 4
>
> Thank You
You don't mention where the attempts are being made, but I will assume
you are trying to fend off the brute-force bad-password guessing
attack on sshd. I found a solution that is working fine on five
Fedora Core machines (some 1, 2, 3). I started with
http://www.pettingers.org/code/SSHBlack.html
It works by watching the log of your choice, usually secure or
messages, and adding an IPtables rule to block the perp after N tries.
I hacked the script to instead stick an entry in /etc/hosts.deny to
block the perp, since some of the machines aren't running iptables.
Actually, I put the entry in an auxilliary file that the hosts.deny
file "includes". The script does have an adjustable expiry mechanism
to release the block.
Let me know if that's what you need and I'll send you my hacked script
and a set of instructions for implementing it.
I might also mention that I block all non-North-American IP address
ranges in hosts.deny. And I know it's probably like peeing in the
ocean, but I trace every transgressor through ARIN's whois
http://www.arin.net/whois/index.html
and send a nastygram to the abuse contact for that network to advise
him he has a compromised machine on his network.
Cheers,
--
Bob McClure, Jr. Bobcat Open Systems, Inc.
robertmcclure at earthlink.net http://www.bobcatos.com
God doesn't have (or need) a Plan B.
More information about the Redhat-install-list
mailing list