SSH monitoring

Richard Emberson remberson at edgedynamics.com
Sat Sep 17 18:03:18 UTC 2005 

I've just installed pam_abl and tested it ... seems to work, but I've 
got a question.
I put the pam_abl line :

auth        required      /lib/security/pam_abl.so 
config=/etc/security/pam_abl.conf

in /etc/pam.d/system-auto. The problem is that at the top of the system-auto
file there is the warning:

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.

Now my question, where can I put the pam_abl line so that it gets 
automatically
placed into system-auto each time authconfig is run?

Thanks
RME


Neil Cherry wrote:

> CHAT KHODA wrote:
>
>> Dear friends,
>> I wish to :
>>
>> 1- Monitor all of the connections(or tries) to my SSH
>> port including the source IP address.
>
>
> permit() {
>     # I want to log just the startup of the conversation
>     /sbin/iptables -A INPUT -s ${1} -p tcp --dport 22 -j LOG --syn \
>                    --log-level  info --log-prefix "iptables permit: " \
>                    --log-ip-options
>     /sbin/iptables -A INPUT -s ${1} -p tcp --dport 22 -j ACCEPT
> }
>
>
> # Deny these sites access to my machine
> deny() {
>     /sbin/iptables -A INPUT -s ${1} -p tcp --dport 22 -j LOG \
>                    --log-level alert --log-prefix "iptables deny: " \
>                    --log-ip-options
>     /sbin/iptables -A INPUT -s ${1} -p tcp --dport 22 -j DROP
> }
>
>
> # =[ Flush the tables completely 
> ]============================================
> /sbin/iptables -F
>
> # =[ Permit list 
> ]============================================================
> #permit 127.0.0.0/8             # Local stuff
> permit 10.0.0.0/8               # Local stuff
> permit 172.16.0.0/12            # Local stuff
> permit 192.168.0.0/16           # Local stuff
>
> # =[ Deny list 
> ]==============================================================
> deny 0.0.0.0/0          # Deny everyone else
>
> The logging part is probably what you want most but the above may
> prove to be useful.
>
>> 2- Limit the numer of unsuccessfull attempts to login
>> to just two attempts per session.
>
>
> Take a look at pam_abl ( http://www.hexten.net/pam_abl/ ). Now that
> i use the above I've had no incidents of needing pam_abl. That doesn't
> mean I won't.
>


-- 
This email message is for the sole use of the intended recipient(s) and 
may contain confidential information.  Any unauthorized review, use, 
disclosure or distribution is prohibited.  If you are not the intended 
recipient, please contact the sender by reply email and destroy all 
copies of the original message.

More information about the users mailing list