close

How to monitor failed ssh login attempts on CentOS

Authored by Dan Nanni on April 26, 2013 Leave a Comment

If you are a web hosting administrator or a Linux security technician, you probably need to closely monitor ssh login activities, especially failed login attempts. Linux hasPluggable Authentication Modules (PAM) built-in, offering configurable authorization for Linux applications and services. You can use PAM to monitor failed ssh login attempts, and act on them (e.g., blocking user).

In this tutorial, I will show how to configure PAM to monitor failed ssh login attempts on CentOS. Depending on the CentOS version you are using, PAM configuration is slightly different.

Configure PAM on CentOS 5

To keep track of failed ssh logins on CentOS 5.*, you need to use a PAM module called pam_tally.so. For that, modify /etc/pam.d/system-auth as follows.

$ sudo vi /etc/pam.d/system-auth
auth required pam_tally.so no_magic_root
account required pam_tally.so deny=3 no_magic_root lock_time=300

The above PAM configuration denies ssh access for a user if the user has failed to log in three times. The user becomes unblocked after 300 seconds.

Once PAM is configured, use a command called faillog to monitor the ssh login activity of a specific user (e.g., xmodulo):

$ sudo faillog -u xmodulo
Login       Failures Maximum Latest             On
xmodulo         2        0   04/23/13 14:12:53  192.168.1.5

To reset the counter of failures for a particular user (e.g., xmodulo):

$ sudo faillog -r -u xmodulo

 

Configure PAM on CentOS 6

To check failed ssh login attempts on CentOS 6.*, you need to use a PAM module called pam_tally2.so. To configure pam_tally2.so, modify /etc/pam.d/password-auth as below.

$ sudo vi /etc/pam.d/password-auth
auth required pam_tally2.so deny=3 onerr=fail unlock_time=300
account required pam_tally2.so

This PAM configuration blocks ssh login for a particular user after three failed login attempts from the user. The user remains blocked for 300 seconds.

Once PAM is configured like above, use a command called pam_tally2 to monitor the ssh login activity of a particular user (e.g., xmodulo).

$ sudo pam_tally2 -u xmodulo
Login           Failures Latest failure     From
xmodulo             2    04/23/13 22:44:45  192.168.1.5

To unblock a particular user (e.g., xmodulo):

$ sudo pam_tally2 -u xmodulo -r
arrow
arrow
    全站熱搜
    創作者介紹
    創作者 migasun 的頭像
    migasun

    GOOGLE來的

    migasun 發表在 痞客邦 留言(0) 人氣()

    E-mail轉寄