Wednesday, April 30, 2008

Configure Linux to track and log failed login attempt recoreds

You can use faillog command to display faillog records or to .set login failure limits. Without arguments it display only list of user faillog records who have ever had a login failure.

PAM Settings: Under RHEL/CentOS 5.x, you need to modify /etc/pam.d/system-auth. You need to configure PAM module pam_tally.so. Otherwise faillog will never display failed login attempts.

PAM Configuration to recored failed login attempts: pam_tally.so maintains a count of attempted accesses, can reset count on success, can deny access if too many attempts fail.

# vi /etc/pam.d/system-auth # Append
auth required pam_tally.so no_magic_root
account required pam_tally.so deny=3 no_magic_root lock_time=180

Where,

  • deny=3 : Deny access if tally for this user exceeds 3 times.
  • lock_time=180 : Always deny for 180 seconds after failed attempt. There is also unlock_time=n option. It allow access after n seconds after failed attempt. If this option is used the user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts. Otherwise the account is locked until the lock is removed by a manual intervention of the system administrator.
  • magic_root : If the module is invoked by a user with uid=0 the counter is not incremented. The sys-admin should use this for user launched services, like su, otherwise this argument should be omitted.
  • no_magic_root : Avoid root account locking, if the module is invoked by a user with uid=0

Display all failed login attempts for a user
# faillog -u didi

Display faillog records for all users
# faillog -a

-r can reset the counters of login failures or one record if used with the -u USERNAME option:

# faillog -r
# faillog -r -u vivek <-- only reset counter for vivek user

On large Linux login server, it might be useful to clear all counts every midnight or week from a cron job
# crontab -e
@weekly /usr/bin/faillog -r

No comments: