Pam question maybe?

Steven W. Orr steveo at syslang.net
Thu Jul 29 18:14:44 UTC 2004 

I'd very much likke to know how you learned about pam. Is there a good 
book somewhere?

Vielen Dank :-)

-- 
Time flies like the wind. Fruit flies like a banana. Stranger things have  .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net
-------------- next part --------------
Am Do, den 29.07.2004 schrieb Jake McHenry um 18:18:

> my server got hacked on monday I'm pretty sure, files were changed, rc.local and rc.sysinit
> were over written. Anyways, is there a way that I can lock out the system after say 3 unsucessful
> login attempts? This would be remotely only, so I can log in at the console to reenable remote logins?

> Jake McHenry

Hacked? Thats pretty bad. Did you use insecure passwords? Did you not
keep your system up to date? I am highly interested on how an attacker
could enter your system.

If you are hacked, then there is no way around a clean new install!
Don't try to find things changed - you won't find all backdoors.

Yes, you can use PAM to limit the tries for logins. Patch your
/etc/pam.d/system-auth file with

$ diff -Nur /etc/pam.d/system-auth system-auth
--- /etc/pam.d/system-auth      2004-05-30 19:05:10.000000000 +0200
+++ system-auth 2004-07-29 18:28:06.085452612 +0200
@@ -4,7 +4,9 @@
 auth        required      /lib/security/$ISA/pam_env.so
 auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth
nullok
 auth        required      /lib/security/$ISA/pam_deny.so
+auth        required      /lib/security/$ISA/pam_tally.so onerr=fail
no_magic_root
  
+account     required      /lib/security/$ISA/pam_tally.so deny=3
no_magic_root reset
 account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid <
100
 account     required      /lib/security/$ISA/pam_unix.so

You see it adds 2 lines. Make a copy of system-auth to a safe place, and
do the changes with great care. You can either make the changes by hand
or do it using the patch command: cd /etc/pam.d; cat
/path/to/the/patch/from/above < patch -p1

Then run "touch /var/log/faillog; chmod 600 /var/log/faillog; chown
root". Of course you must be root for all these steps.

You can use the commands "faillog" and "pam_tally" to handle the
restrictions with failed logins. Both commands let you show the number
of failed logins per user account and let you reset the counter.

Alexander


-- 
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.6-1.435.2.3.ad.umlsmp 
Serendipity 18:22:24 up 3 days, 3:29, load average: 0.82, 0.66, 0.43 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20040729/ec9653cd/attachment-0002.bin 
-------------- next part --------------
-- 
fedora-list mailing list
fedora-list at redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list

More information about the users mailing list