pam_tally2 or pam_faillock account lockout with ssh

ssh redhat pam

Solution 1:

If you enable PasswordAuthentication then the SSH daemon handles passwords itself and not using PAM. You actually want to disable this in order to force it to use PAM:

PasswordAuthentication no
UsePAM yes
ChallengeResponseAuthentication yes

That won't catch users using keys however (although personally I think that's fine). If you do you'll probably have to use something like fail2ban which looks for authentication failures in the logs and adds iptables rules to block future attempts.

Solution 2:

You'll need to add the following lines to /etc/pam.d/sshd:

auth       required     pam_tally2.so deny=6 onerr=fail unlock_time=1800
account    required     pam_tally2.so

Add them on lines 3 and 6 as indicated below:

#%PAM-1.0
auth       required     pam_sepermit.so
auth       required     pam_tally2.so deny=6 onerr=fail unlock_time=1800
auth       include      password-auth
account    required     pam_nologin.so
account    required     pam_tally2.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth

Also make sure UsePAM yes is set in /etc/ssh/sshd_config

This will lock an ssh user out for 30 minutes after six failed authentication attempts.

If we follow the official RHEL 6 Security Guide, we can accomplish this without changing /etc/pam.d/sshd.

We edit both /etc/pam.d/system-auth and /etc/pam.d/password-auth, replacing

auth        sufficient     pam_unix.so nullok try_first_pass

with

auth        required       pam_faillock.so preauth silent audit deny=3 unlock_time=600
auth        sufficient     pam_unix.so nullok try_first_pass
auth        [default=die]  pam_faillock.so authfail audit deny=3 unlock_time=600

And, in both files, we add this line to the top of the "account" section:

account     required      pam_faillock.so

This will provide account lockout functionality to console users, screensaver users, and so on.

If you examine /etc/pam.d/sshd you can see it uses password-auth and therefore ssh users will experience the same lockout functionality.

Related

Remote Desktop Licensing mode is not configured in Windows Server2012
Sendmail wont send to same domain
Moving my website to different server changes authentication from Kerberos to NTLM
Can't install mysql 5.1 on a windows machine because the last install left artifacts
JSP / Tomcat / Apache setup overview on Fedora Core
Using Active Directory authentication with Samba on Ubuntu 9.10 server 64bit
Preventing logrotate's dateext from overwriting files
Why is Apache/PHP quietly crashing on Windows?
Zimbra: changing postfix parameters
PHP Fatal error: Call to undefined function mysql_pconnect() in
Apache as a proxy for Nexus, Jenkins and Foreman (Several VirtualHosts on same domain, IP and Port)
debian boot hide all messages