FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Red Hat Linux

 
 
LinkBack Thread Tools
 
Old 01-10-2011, 04:49 PM
"Mr. Paul M. Whitney"
 
Default RHEL6 pam_tally2 lockouts

Have you tried putting the entries in /etc/pam.d/ssh instead of system-auth?


Paul W.


On Jan 10, 2011, at 10:40, Johan Booysen <johan@matrixsolutions.co.uk> wrote:

> I'm trying to set up a RHEL6 server for sftp access only. So far it
> works very well, but I can't seem to get pam_tally2 set up to lock user
> accounts after so many unsuccessful login attempts.
>
>
>
> As far as I could find out, it should work if I add the following lines
> to /etc/pam.d/system-auth:
>
>
>
> Last line in the auth section:
>
> auth required pam_tally2.so deny=3 onerr=fail
>
>
>
> Last line in the account section:
>
> account required pam_tally2.so
>
>
>
> According to the pam_tally2 man page this should log failed attempts in
> /var/log/tallylog, but when I deliberately log in with nonsense
> usernames/password, I get absolutely nothing in the tallylog file.
> Hence running the pam_tally2 command with no options produces no
> results.
>
>
>
> /var/log/secure shows me entries such as:
>
>
>
> Jan 10 15:16:26 rhel6 sshd[1918]: Failed password for test from
> 192.x.x.x port 4467 ssh2
>
> Jan 10 15:16:29 rhel6 sshd[1918]: Failed password for test from 192.x.x.
> port 4467 ssh2
>
> Jan 10 15:16:29 rhel6 sshd[1919]: Disconnecting: Too many authentication
> failures for test
>
> Jan 10 15:16:29 rhel6 sshd[1918]: PAM 1 more authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser= rhost=mc23.xxxxx.int user=test
>
>
>
> In /etc/ssh/sshd_config I've got
>
>
>
> UsePAM yes
>
> PasswordAuthentication yes
>
> ChallengeResponseAuthentication no
>
>
>
> I might be missing something silly here, so I'd really appreciate any
> advice on getting this to work on Red Hat Enterprise Linux 6.
>
>
>
> Thanks.
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 01-11-2011, 12:11 PM
"Johan Booysen"
 
Default RHEL6 pam_tally2 lockouts

Paul - thanks very much for your reply.

My understanding was that it should go into the /etc/pam.d/system-auth
file, but I've tried it in the /etc/pam.d/sshd file and it seems to work
in terms of logging failed logon attempts in /var/log/tallylog, e.g.

Login Failures Latest failure
test 6 01/11/11 12:04:23

However, the account does not get locked out after the specified 3
number of logon attempts mentioned on the following line:
auth required pam_tally2.so deny=3 onerr=fail

The pam_tally2 man page mentions:

deny=n Deny access if tally for this user exceeds n.

Anyone have any idea why the account doesn't get locked?

Regards,

Johan

-----Original Message-----
From: redhat-list-bounces@redhat.com
[mailto:redhat-list-bounces@redhat.com] On Behalf Of Mr. Paul M. Whitney
Sent: 10 January 2011 17:50
To: General Red Hat Linux discussion list
Subject: Re: RHEL6 pam_tally2 lockouts

Have you tried putting the entries in /etc/pam.d/ssh instead of
system-auth?


Paul W.


On Jan 10, 2011, at 10:40, Johan Booysen <johan@matrixsolutions.co.uk>
wrote:

> I'm trying to set up a RHEL6 server for sftp access only. So far it
> works very well, but I can't seem to get pam_tally2 set up to lock
user
> accounts after so many unsuccessful login attempts.
>
>
>
> As far as I could find out, it should work if I add the following
lines
> to /etc/pam.d/system-auth:
>
>
>
> Last line in the auth section:
>
> auth required pam_tally2.so deny=3 onerr=fail
>
>
>
> Last line in the account section:
>
> account required pam_tally2.so
>
>
>
> According to the pam_tally2 man page this should log failed attempts
in
> /var/log/tallylog, but when I deliberately log in with nonsense
> usernames/password, I get absolutely nothing in the tallylog file.
> Hence running the pam_tally2 command with no options produces no
> results.
>
>
>
> /var/log/secure shows me entries such as:
>
>
>
> Jan 10 15:16:26 rhel6 sshd[1918]: Failed password for test from
> 192.x.x.x port 4467 ssh2
>
> Jan 10 15:16:29 rhel6 sshd[1918]: Failed password for test from
192.x.x.
> port 4467 ssh2
>
> Jan 10 15:16:29 rhel6 sshd[1919]: Disconnecting: Too many
authentication
> failures for test
>
> Jan 10 15:16:29 rhel6 sshd[1918]: PAM 1 more authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser= rhost=mc23.xxxxx.int user=test
>
>
>
> In /etc/ssh/sshd_config I've got
>
>
>
> UsePAM yes
>
> PasswordAuthentication yes
>
> ChallengeResponseAuthentication no
>
>
>
> I might be missing something silly here, so I'd really appreciate any
> advice on getting this to work on Red Hat Enterprise Linux 6.
>
>
>
> Thanks.
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 01-11-2011, 11:24 PM
"Mr. Paul M. Whitney"
 
Default RHEL6 pam_tally2 lockouts

Johan,

I have these lines in my /etc/pam.d/sshd file:

auth required pam_tally2.so deny=3 onerr=fail unlock_time=1800


account required pam_tally2.so per_user

Cheers,

Paul


On Jan 11, 2011, at 8:11 AM, Johan Booysen wrote:

> Paul - thanks very much for your reply.
>
> My understanding was that it should go into the /etc/pam.d/system-auth
> file, but I've tried it in the /etc/pam.d/sshd file and it seems to work
> in terms of logging failed logon attempts in /var/log/tallylog, e.g.
>
> Login Failures Latest failure
> test 6 01/11/11 12:04:23
>
> However, the account does not get locked out after the specified 3
> number of logon attempts mentioned on the following line:
> auth required pam_tally2.so deny=3 onerr=fail
>
> The pam_tally2 man page mentions:
>
> deny=n Deny access if tally for this user exceeds n.
>
> Anyone have any idea why the account doesn't get locked?
>
> Regards,
>
> Johan
>
> -----Original Message-----
> From: redhat-list-bounces@redhat.com
> [mailto:redhat-list-bounces@redhat.com] On Behalf Of Mr. Paul M. Whitney
> Sent: 10 January 2011 17:50
> To: General Red Hat Linux discussion list
> Subject: Re: RHEL6 pam_tally2 lockouts
>
> Have you tried putting the entries in /etc/pam.d/ssh instead of
> system-auth?
>
>
> Paul W.
>
>
> On Jan 10, 2011, at 10:40, Johan Booysen <johan@matrixsolutions.co.uk>
> wrote:
>
>> I'm trying to set up a RHEL6 server for sftp access only. So far it
>> works very well, but I can't seem to get pam_tally2 set up to lock
> user
>> accounts after so many unsuccessful login attempts.
>>
>>
>>
>> As far as I could find out, it should work if I add the following
> lines
>> to /etc/pam.d/system-auth:
>>
>>
>>
>> Last line in the auth section:
>>
>> auth required pam_tally2.so deny=3 onerr=fail
>>
>>
>>
>> Last line in the account section:
>>
>> account required pam_tally2.so
>>
>>
>>
>> According to the pam_tally2 man page this should log failed attempts
> in
>> /var/log/tallylog, but when I deliberately log in with nonsense
>> usernames/password, I get absolutely nothing in the tallylog file.
>> Hence running the pam_tally2 command with no options produces no
>> results.
>>
>>
>>
>> /var/log/secure shows me entries such as:
>>
>>
>>
>> Jan 10 15:16:26 rhel6 sshd[1918]: Failed password for test from
>> 192.x.x.x port 4467 ssh2
>>
>> Jan 10 15:16:29 rhel6 sshd[1918]: Failed password for test from
> 192.x.x.
>> port 4467 ssh2
>>
>> Jan 10 15:16:29 rhel6 sshd[1919]: Disconnecting: Too many
> authentication
>> failures for test
>>
>> Jan 10 15:16:29 rhel6 sshd[1918]: PAM 1 more authentication failure;
>> logname= uid=0 euid=0 tty=ssh ruser= rhost=mc23.xxxxx.int user=test
>>
>>
>>
>> In /etc/ssh/sshd_config I've got
>>
>>
>>
>> UsePAM yes
>>
>> PasswordAuthentication yes
>>
>> ChallengeResponseAuthentication no
>>
>>
>>
>> I might be missing something silly here, so I'd really appreciate any
>> advice on getting this to work on Red Hat Enterprise Linux 6.
>>
>>
>>
>> Thanks.
>>
>> --
>> redhat-list mailing list
>> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
>> https://www.redhat.com/mailman/listinfo/redhat-list
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 01-12-2011, 08:52 AM
"Johan Booysen"
 
Default RHEL6 pam_tally2 lockouts

Hi,

I've tried those settings in /etc/pam.d/sshd, but get the same result:
pam_tally2 does tally up failed logon attempts, but never locks out the
offending user.

FWIW I also tried adding those lines in the login and system-auth files.
When these lines are in the login file, then it behaves exactly the same
as above. When added to system-auth, pam_tally2 does not tally up
failed logons at all.

I must be missing something really silly somewhere...

Thanks.

-----Original Message-----
From: redhat-list-bounces@redhat.com
[mailto:redhat-list-bounces@redhat.com] On Behalf Of Mr. Paul M. Whitney
Sent: 12 January 2011 00:25
To: General Red Hat Linux discussion list
Subject: Re: RHEL6 pam_tally2 lockouts

Johan,

I have these lines in my /etc/pam.d/sshd file:

auth required pam_tally2.so deny=3 onerr=fail
unlock_time=1800


account required pam_tally2.so per_user

Cheers,

Paul


On Jan 11, 2011, at 8:11 AM, Johan Booysen wrote:

> Paul - thanks very much for your reply.
>
> My understanding was that it should go into the /etc/pam.d/system-auth
> file, but I've tried it in the /etc/pam.d/sshd file and it seems to
work
> in terms of logging failed logon attempts in /var/log/tallylog, e.g.
>
> Login Failures Latest failure
> test 6 01/11/11 12:04:23
>
> However, the account does not get locked out after the specified 3
> number of logon attempts mentioned on the following line:
> auth required pam_tally2.so deny=3 onerr=fail
>
> The pam_tally2 man page mentions:
>
> deny=n Deny access if tally for this user exceeds n.
>
> Anyone have any idea why the account doesn't get locked?
>
> Regards,
>
> Johan
>
> -----Original Message-----
> From: redhat-list-bounces@redhat.com
> [mailto:redhat-list-bounces@redhat.com] On Behalf Of Mr. Paul M.
Whitney
> Sent: 10 January 2011 17:50
> To: General Red Hat Linux discussion list
> Subject: Re: RHEL6 pam_tally2 lockouts
>
> Have you tried putting the entries in /etc/pam.d/ssh instead of
> system-auth?
>
>
> Paul W.
>
>
> On Jan 10, 2011, at 10:40, Johan Booysen <johan@matrixsolutions.co.uk>
> wrote:
>
>> I'm trying to set up a RHEL6 server for sftp access only. So far it
>> works very well, but I can't seem to get pam_tally2 set up to lock
> user
>> accounts after so many unsuccessful login attempts.
>>
>>
>>
>> As far as I could find out, it should work if I add the following
> lines
>> to /etc/pam.d/system-auth:
>>
>>
>>
>> Last line in the auth section:
>>
>> auth required pam_tally2.so deny=3 onerr=fail
>>
>>
>>
>> Last line in the account section:
>>
>> account required pam_tally2.so
>>
>>
>>
>> According to the pam_tally2 man page this should log failed attempts
> in
>> /var/log/tallylog, but when I deliberately log in with nonsense
>> usernames/password, I get absolutely nothing in the tallylog file.
>> Hence running the pam_tally2 command with no options produces no
>> results.
>>
>>
>>
>> /var/log/secure shows me entries such as:
>>
>>
>>
>> Jan 10 15:16:26 rhel6 sshd[1918]: Failed password for test from
>> 192.x.x.x port 4467 ssh2
>>
>> Jan 10 15:16:29 rhel6 sshd[1918]: Failed password for test from
> 192.x.x.
>> port 4467 ssh2
>>
>> Jan 10 15:16:29 rhel6 sshd[1919]: Disconnecting: Too many
> authentication
>> failures for test
>>
>> Jan 10 15:16:29 rhel6 sshd[1918]: PAM 1 more authentication failure;
>> logname= uid=0 euid=0 tty=ssh ruser= rhost=mc23.xxxxx.int user=test
>>
>>
>>
>> In /etc/ssh/sshd_config I've got
>>
>>
>>
>> UsePAM yes
>>
>> PasswordAuthentication yes
>>
>> ChallengeResponseAuthentication no
>>
>>
>>
>> I might be missing something silly here, so I'd really appreciate any
>> advice on getting this to work on Red Hat Enterprise Linux 6.
>>
>>
>>
>> Thanks.
>>
>> --
>> redhat-list mailing list
>> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
>> https://www.redhat.com/mailman/listinfo/redhat-list
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 01-26-2011, 09:39 AM
"Johan Booysen"
 
Default RHEL6 pam_tally2 lockouts

The silly bit I was missing was just where those lines should actually
be placed inside /etc/pam.d/sshd.

This works:

auth required pam_sepermit.so
auth required pam_tally2.so deny=3 onerr=fail << this line
here
auth include password-auth

account required pam_nologin.so
account required pam_tally2.so << this line
here
account include password-auth

Then just run pam_tally2 to see failed logins, and pam_tally2 -u
username -r to unlock the user account if it's locked out.

-----Original Message-----
From: redhat-list-bounces@redhat.com
[mailto:redhat-list-bounces@redhat.com] On Behalf Of Johan Booysen
Sent: 12 January 2011 09:53
To: General Red Hat Linux discussion list
Subject: RE: RHEL6 pam_tally2 lockouts

Hi,

I've tried those settings in /etc/pam.d/sshd, but get the same result:
pam_tally2 does tally up failed logon attempts, but never locks out the
offending user.

FWIW I also tried adding those lines in the login and system-auth files.
When these lines are in the login file, then it behaves exactly the same
as above. When added to system-auth, pam_tally2 does not tally up
failed logons at all.

I must be missing something really silly somewhere...

Thanks.

-----Original Message-----
From: redhat-list-bounces@redhat.com
[mailto:redhat-list-bounces@redhat.com] On Behalf Of Mr. Paul M. Whitney
Sent: 12 January 2011 00:25
To: General Red Hat Linux discussion list
Subject: Re: RHEL6 pam_tally2 lockouts

Johan,

I have these lines in my /etc/pam.d/sshd file:

auth required pam_tally2.so deny=3 onerr=fail
unlock_time=1800


account required pam_tally2.so per_user

Cheers,

Paul


On Jan 11, 2011, at 8:11 AM, Johan Booysen wrote:

> Paul - thanks very much for your reply.
>
> My understanding was that it should go into the /etc/pam.d/system-auth
> file, but I've tried it in the /etc/pam.d/sshd file and it seems to
work
> in terms of logging failed logon attempts in /var/log/tallylog, e.g.
>
> Login Failures Latest failure
> test 6 01/11/11 12:04:23
>
> However, the account does not get locked out after the specified 3
> number of logon attempts mentioned on the following line:
> auth required pam_tally2.so deny=3 onerr=fail
>
> The pam_tally2 man page mentions:
>
> deny=n Deny access if tally for this user exceeds n.
>
> Anyone have any idea why the account doesn't get locked?
>
> Regards,
>
> Johan
>
> -----Original Message-----
> From: redhat-list-bounces@redhat.com
> [mailto:redhat-list-bounces@redhat.com] On Behalf Of Mr. Paul M.
Whitney
> Sent: 10 January 2011 17:50
> To: General Red Hat Linux discussion list
> Subject: Re: RHEL6 pam_tally2 lockouts
>
> Have you tried putting the entries in /etc/pam.d/ssh instead of
> system-auth?
>
>
> Paul W.
>
>
> On Jan 10, 2011, at 10:40, Johan Booysen <johan@matrixsolutions.co.uk>
> wrote:
>
>> I'm trying to set up a RHEL6 server for sftp access only. So far it
>> works very well, but I can't seem to get pam_tally2 set up to lock
> user
>> accounts after so many unsuccessful login attempts.
>>
>>
>>
>> As far as I could find out, it should work if I add the following
> lines
>> to /etc/pam.d/system-auth:
>>
>>
>>
>> Last line in the auth section:
>>
>> auth required pam_tally2.so deny=3 onerr=fail
>>
>>
>>
>> Last line in the account section:
>>
>> account required pam_tally2.so
>>
>>
>>
>> According to the pam_tally2 man page this should log failed attempts
> in
>> /var/log/tallylog, but when I deliberately log in with nonsense
>> usernames/password, I get absolutely nothing in the tallylog file.
>> Hence running the pam_tally2 command with no options produces no
>> results.
>>
>>
>>
>> /var/log/secure shows me entries such as:
>>
>>
>>
>> Jan 10 15:16:26 rhel6 sshd[1918]: Failed password for test from
>> 192.x.x.x port 4467 ssh2
>>
>> Jan 10 15:16:29 rhel6 sshd[1918]: Failed password for test from
> 192.x.x.
>> port 4467 ssh2
>>
>> Jan 10 15:16:29 rhel6 sshd[1919]: Disconnecting: Too many
> authentication
>> failures for test
>>
>> Jan 10 15:16:29 rhel6 sshd[1918]: PAM 1 more authentication failure;
>> logname= uid=0 euid=0 tty=ssh ruser= rhost=mc23.xxxxx.int user=test
>>
>>
>>
>> In /etc/ssh/sshd_config I've got
>>
>>
>>
>> UsePAM yes
>>
>> PasswordAuthentication yes
>>
>> ChallengeResponseAuthentication no
>>
>>
>>
>> I might be missing something silly here, so I'd really appreciate any
>> advice on getting this to work on Red Hat Enterprise Linux 6.
>>
>>
>>
>> Thanks.
>>
>> --
>> redhat-list mailing list
>> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
>> https://www.redhat.com/mailman/listinfo/redhat-list
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 

Thread Tools




All times are GMT. The time now is 01:35 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org