Lock users account after X attempts

redhat at buglecreek.com redhat at buglecreek.com
Wed Aug 3 00:30:16 UTC 2005 

On Mon, 1 Aug 2005 21:38:00 -0500, "Bob McClure Jr"
<robertmcclure at earthlink.net> said:
> On Mon, Aug 01, 2005 at 06:14:32PM -0600, redhat at buglecreek.com wrote:
> > I need a way to lock a user account after 5 attempts.  I know the
> > pam_tally module will do this, but it also applies to system accounts
> > and would require the use of the faillog command to get around this ( I
> > think).  I would like to find another option to do this.  Also, it would
> > be desirable to be able to lock it for a certain amount of time (say 15
> > minutes.  Then allow users to try again.
> > 
> > Redhat ES 4
> > 
> > Thank You
> 
> You don't mention where the attempts are being made, but I will assume
> you are trying to fend off the brute-force bad-password guessing
> attack on sshd.  I found a solution that is working fine on five
> Fedora Core machines (some 1, 2, 3).  I started with
> 
>   http://www.pettingers.org/code/SSHBlack.html
> 
> It works by watching the log of your choice, usually secure or
> messages, and adding an IPtables rule to block the perp after N tries.
> I hacked the script to instead stick an entry in /etc/hosts.deny to
> block the perp, since some of the machines aren't running iptables.
> Actually, I put the entry in an auxilliary file that the hosts.deny
> file "includes".  The script does have an adjustable expiry mechanism
> to release the block.
> 
> Let me know if that's what you need and I'll send you my hacked script
> and a set of instructions for implementing it.
> 
> I might also mention that I block all non-North-American IP address
> ranges in hosts.deny.  And I know it's probably like peeing in the
> ocean, but I trace every transgressor through ARIN's whois
> 
> http://www.arin.net/whois/index.html
> 
> and send a nastygram to the abuse contact for that network to advise
> him he has a compromised machine on his network.
> 
> Cheers,
> -- 
> Bob McClure, Jr.             Bobcat Open Systems, Inc.
> robertmcclure at earthlink.net  http://www.bobcatos.com
> God doesn't have (or need) a Plan B.
> 
> _______________________________________________
> Redhat-install-list mailing list
> Redhat-install-list at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-install-list
> To Unsubscribe Go To ABOVE URL or send a message to:
> redhat-install-list-request at redhat.com
> Subject: unsubscribe

Thanks

Yes, that seems like it may be a good solution.  If you could send me
the details I would appreciate it.  I will most likely need to run it on
multiple machines.  I have also implemented password strengthening using
pam modules (cracklib, tally, unix) that should also help.  Time to be
extra paranoid.  While we are on the subject, any suggestions on log
monitoring tools that will catch excessive login attempts. I know a few,
but was curious what others are using.

More information about the Redhat-install-list mailing list