Record / Log Failed Login Attempt In Linux
A system administrator needs to monitor the unusual activities on the system. Unauthorized user may try to access the system by trying out different passwords. A utility in Linux that can be used to monitor these failed login attempts is “faillog” utility. “faillog” command displays any failed login attempts by any user. If there are too many unsuccessful attempts, then the account can be disabled using “faillog”. This can be used to lock down the account for a few seconds after a user fails to login.
Faillog command syntax
These failures are stored in a file named “faillog” present in /var/log directory. “faillog” command uses this file (/var/log/faillog) for displaying the failed logins. “faillog” command entered on its own prints out any unsuccessful attempts by any user.
[root@localhost ~]# faillog
Login Failures Maximum Latest Onstudent 1 0 06/28/12 15:27:27 +0530 tty1
After a failed login, the user can be locked for a specified time with -l option. To lock an account (say student) for 1 minute (60 seconds), use:
[root@localhost ~]# faillog -l 60 -u student
[root@localhost ~]# faillog
Login Failures Maximum Latest Onstudent 2 0 06/28/12 15:28:32 +0530 tty1 [51s left]
As you can see, the remaining time since failed login is displayed on the last column. The -u option is used to specify a username (whose account needs to be locked). Further, maximum limit on login attempts can be set by -m option.
[root@localhost ~]# faillog -m 0 -u student
This command will disable the student account after 3 unsuccessful logins.
pam_tally.so:
If you read carefully, “faillog” does not log the failures, it just displays them. The actual surveillance of such attempts is the responsibility of pam_tally.so module. Now before going into the details of this module, lets have a quick overview of PAM.
Pluggable Authentication Modules (PAM):
As the name suggests, PAM performs all the authentication tasks in Linux. But these modules are ‘pluggable’: it means that it can be used with other applications. PAM is not any “program or utility” that provides authentication functions, it is a module, that helps all the utilities that need authentication functions. For example, when we login to any terminal (the prompt that looks like: “localhost login: “) on Linux system, the utility that is running in background is ‘login’ utility. This utility uses PAM modules. Other utilities such as ssh(used for remote login), su(to switch users), at, cron (both used for scheduling tasks) etc. also use PAM modules for authentication.
So, returning to our discussion about pam_tally.so module. This module counts the failed login attempts and stores them in /var/log/faillog file. If your system is not configured to use this module, “faillog” will not work. So to configure the system to use this module, we need to edit /etc/pam.d/system-auth file. Add these 2 lines in the file:
auth required pam_tally.so
account required pam_tally.so
My /etc/pam.d/system-auth file looks like this (you can see these lines surrounded by comments, in bold and italics):
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so###———Added by Raghu———###
auth required pam_tally.so
###——————————–###account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so###---------Added by Raghu---------###
account required pam_tally.so
###--------------------------------###password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.sosession optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
No comments:
Post a Comment