1 2 3 4 |
notblog@infinity:~$ faillog -u root Login Failures Maximum Latest On root 13 0 02/25/13 10:17:11 +0000 /dev/pts/0 |
- Login: Attempted login user
- Failures: Failed login attempts
- Maximum: Allowed login failures before disabling the account
- Latest: Date and time of last failed login
- On: Where the failed login occurred
Step 1 – Enable pam_tally.so in /etc/pam.d/common-auth
Add the following lines to the top of the file:
1 2 |
# Log failed logins to /var/log/faillog auth required pam_tally.so per_user magic_root onerr=fail |
1 2 3 4 5 6 7 8 9 |
# Log failed logins to /var/log/faillog auth required pam_tally.so per_user magic_root onerr=fail # here are the per-package modules (the "Primary" block) auth [success=1 default=ignore] pam_unix.so nullok_secure # here's the fallback if no module succeeds auth requisite pam_deny.so ... |
Step 2 – Enable pam_tally.so in /etc/pam.d/sshd
Add the following lines immediately before @include common-auth:
1 2 |
# Log failed login attempts to /var/log/faillog auth required pam_tally.so per_user onerr=fail |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
# Read environment variables from /etc/environment and # /etc/security/pam_env.conf. auth required pam_env.so # [1] # In Debian 4.0 (etch), locale-related environment variables were moved to # /etc/default/locale, so read that as well. auth required pam_env.so envfile=/etc/default/locale # Log failed login attempts to /var/log/faillog auth required pam_tally.so per_user onerr=fail # Standard Un*x authentication. @include common-auth # Disallow non-root logins when /etc/nologin exists. account required pam_nologin.so ... |
Step 3 – Enable PAM in /etc/ssh/sshd_config
1 2 3 4 5 6 7 8 9 10 |
# Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes |
Step 4 – Restart ssh
1 2 3 |
notblog@infinity:~$ sudo service ssh restart ssh stop/waiting ssh start/running, process 11717 |