Shulou(Shulou.com)06/02 Report--

This article introduces what is the ssh black hole pam_tally2, the content is very detailed, interested friends can refer to, hope to be helpful to you.

1. Modify the configuration of sshd itself: default port, number of password attempts, prohibition of root, client connection time, cancellation of dns resolution

2. System-level host allow deny

3. Pam level

4. Other tools assist

This article introduces the usage of the pam pam_tally2 module.

Premise:

Set UsePAM yes in / etc/ssh/sshd_config. Generally, PAM is allowed by default.

Main functions:

Limit a user to lock the user for N seconds after a password error for M times

There are many files under / etc/pam.d:

/ etc/pam.d/login configuration is restricted only on local text terminals.

/ etc/pam.d/kde calls the time limit system in the kde graphical interface during configuration

Make restrictions on connecting through ssh when configuring in / etc/pam.d/sshd

Any service configured in / etc/pam.d/system-auth that invokes the system-auth file will take effect.

Early warning:

Because pam_tally does not have the function of automatic unlocking, you should pay more attention when setting limits. In case all restrictions are made and root users are locked, you can only unlock in single-user mode. Of course, you can also add crontab tasks to achieve the function of timing automatic unlocking, but it should be noted that if pam_tally is added to the / etc / pam.d/system-auth file, when root is locked The crontab task is invalidated, so it's best not to add pam_tally to the system-auth file.

For now, only for sshd:

Lock out all users (including root) for 2 minutes after 2 password errors.

Modify / etc/pam.d/sshd file, add 2 files (many documents on the Internet only add the first place, wrong people and yourself)

1. Must be added under #% PAM-1.0: auth required pam_tally2.so deny=2 unlock_time=120 even_deny_root root_unlock_time=120 # add 1

2. Add account required pam_tally2.so # add 2 under the-auth section

$cat / etc/pam.d/sshd#%PAM-1.0auth required pam_tally2.so deny=2 unlock_time=120 even_deny_root root_unlock_time=120 # add 1 auth required pam_sepermit.soauth substack password-authauth include postlogin# Used with polkit to reauthorize users in remote sessions-auth optional pam_reauthorize.so prepareaccount required pam_tally2.so # add 2account required pam_nologin.soaccount Include password-authpassword include password-auth# pam_selinux.so close should be the first session rulesession required pam_selinux.so closesession required pam_loginuid.so# pam_selinux.so open should only be followed by sessions to be executed in the user contextsession required pam_selinux.so open env_paramssession required pam_namespace.sosession optional pam_keyinit.so force revokesession include password-authsession include postlogin# Used with polkit to reauthorize users in remote sessions-session optional pam_reauthorize.so prepare

If there is no restriction on root users, it can be written as auth required pam_tally2.so deny=M unlock_time=N*60

Explanation:

Configuration format:

Pam_tally2.so [file=/path/to/counter] [onerr= [fail | succeed]] [magic_root] [even_deny_root] [deny=n] [lock_time=n] [unlock_time=n] [root_unlock_time=n] [serialize] [audit] [silent] [no_log_info]

Parameter correlation:

1. Global parameters

File is used to specify the location where statistics are stored, which is saved in the / var/log/tallylog file by default.

Onerr when an accident occurs, add PAM_SUCCESS or pam error code back. Generally, this item is not configured.

Audit writes access information to the system log if the logged-in user does not exist

Silent silent mode, no log information output

No_log_info does not print log information via syslog

The above five global parameters generally do not need to be configured separately.

2. Authentication options

Deny specifies the maximum number of authentication errors, and if this error is exceeded, subsequent policies will be enforced. If locked for N seconds, if no other policy is specified later, it will always be locked by default unless unlocked manually.

Lock_time failed once. How long does it take to lock in seconds?

Unlock_time specifies how long it takes to automatically unlock the user after the number of times the authentication deny is locked

Magic_root if a user uid=0 (that is, an root account or an account equivalent to root) fails to call this module during account authentication, it will not be counted as a statistic.

No_lock_time does not use the .fail _ locktime entry to record users in / var/log/faillog-it is not quite understood by English literal translation, but personal understanding means no user locking.

Even_deny_root root users are also locked when there is an authentication error (this feature is used carefully, it may be unlocked when a single user is about to be unlocked)

How long does the root_unlock_time root user lock up when it fails. This option is generally used in conjunction with even_deny_root.

Command line management:

Pam_tally2 view failure status of all users

Pam_tally2-- user=root specifies to view the user's failure status abbreviated pam_tally2-u root

Pam_tally2-- user=root-- reset removes user restrictions-pam_tally2-r-u root

Test:

Please use the terminal ssh command to try, xshell does not seem to show an error, just keep asking for input.

It will not be verified until after entering the account password, which does not mean that you do not have to enter the password to report the error directly.

➜~ ssh root@xxxx.com-p 5000Password:Account locked due to 5 failed loginsPassword:Account locked due to 6 failed loginsPassword:$ pam_tally2-u rootLogin Failures Latest failure Fromroot 6 09 pick up 14 ache 19 12:46:33 47.93.185.25 reset # root@ web-devops-01 in / home/hlnmroot [12:46:40] $pam_tally2-r-u rootLogin Failures Latest failure Fromroot 6 09 home/hlnmroot 14 Chark 19 12:46:33 47.93.185.25 pound root@ web-devops-01 in / home/hlnmroot [12:47:28] $pam_tally2-u rootLogin Failures Latest failure Fromroot 0 login to ➜~ ssh root@xxxx.com-p 5000Password:Last failed login: Sat Sep 14 12:46:33 CST 2019 from 47.93.185.255 on ssh:nottyThere were 5 failed login attempts since the last Successful login.Last login: Sat Sep 14 11:59:40 2019 from 47.94.129.79Welcome to Alibaba Cloud Elastic Compute Service! On what is a ssh black hole pam_tally2 to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.