|
1 2 3 4 5 6 7 |
notblog@infinity:~$ faillog -u root Login Failures Maximum Latest On root 13 0 02/25/13 10:17:11 +0000 /dev/pts/0 |
- Login: Attempted login user
- Failures: Failed login attempts
- Maximum: Allowed login failures before disabling the account
- Latest: Date and time of last failed login
- On: Where the failed login occurred
Step 1 – Enable pam_tally.so in /etc/pam.d/common-auth
Add the following lines to the top of the file:
|
1 2 |
# Log failed logins to /var/log/faillog |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
# Log failed logins to /var/log/faillog auth required pam_tally.so per_user magic_root onerr=fail # here are the per-package modules (the "Primary" block) auth [success=1 default=ignore] pam_unix.so nullok_secure # here's the fallback if no module succeeds auth requisite pam_deny.so ... |
Step 2 – Enable pam_tally.so in /etc/pam.d/sshd
Add the following lines immediately beforeĀ @include common-auth:
|
1 2 3 |
# Log failed login attempts to /var/log/faillog auth required pam_tally.so per_user onerr=fail |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 |
# Read environment variables from /etc/environment and # /etc/security/pam_env.conf. auth required pam_env.so # [1] # In Debian 4.0 (etch), locale-related environment variables were moved to # /etc/default/locale, so read that as well. auth required pam_env.so envfile=/etc/default/locale # Log failed login attempts to /var/log/faillog auth required pam_tally.so per_user onerr=fail # Standard Un*x authentication. @include common-auth # Disallow non-root logins when /etc/nologin exists. account required pam_nologin.so ... |
Step 3 – Enable PAM inĀ /etc/ssh/sshd_config
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes |
Step 4 – Restart ssh
|
1 2 3 4 5 |
notblog@infinity:~$ sudo service ssh restart ssh stop/waiting ssh start/running, process 11717 |