Last updated on April 26, 2013 by Dan Nanni
If you are a web hosting administrator, VPS user, or a Linux security technician, you probably need to closely monitor SSH login activities, especially failed login attempts. Linux has Pluggable Authentication Modules (PAM) built-in, offering configurable authorization for Linux applications and services. You can use PAM to monitor failed SSH login attempts, and act on them (e.g., blocking user).
In this tutorial, I will show how to configure PAM to monitor failed SSH login attempts in CentOS 5 and 6 environments. Depending on the CentOS version you are using, PAM configuration is slightly different.
To keep track of failed SSH logins on CentOS 5.*, you need to use a PAM module called pam_tally.so
. For that, modify /etc/pam.d/system-auth
as follows.
$ sudo vi /etc/pam.d/system-auth
auth required pam_tally.so no_magic_root account required pam_tally.so deny=3 no_magic_root lock_time=300
The above PAM configuration denies SSH access for a user if the user has failed to log in three times. The user becomes unblocked after 300
seconds.
Once PAM is configured, use a command called faillog
to monitor the SSH login activity of a specific user (e.g., xmodulo
):
$ sudo faillog -u xmodulo
Login Failures Maximum Latest On xmodulo 2 0 04/23/13 14:12:53 192.168.1.5
To reset the counter of failures for a particular user (e.g., xmodulo
):
$ sudo faillog -r -u xmodulo
To check failed SSH login attempts on CentOS 6.*, you need to use a PAM module called pam_tally2.so
. To configure pam_tally2.so
, modify /etc/pam.d/password-auth
as below.
$ sudo vi /etc/pam.d/password-auth
auth required pam_tally2.so deny=3 onerr=fail unlock_time=300 account required pam_tally2.so
This PAM configuration blocks SSH login for a particular user after three failed login attempts from the user. The user remains blocked for 300
seconds.
Once PAM is configured like above, use a command called pam_tally2
to monitor the SSH login activity of a particular user (e.g., xmodulo
).
$ sudo pam_tally2 -u xmodulo
Login Failures Latest failure From xmodulo 2 04/23/13 22:44:45 192.168.1.5
To unblock a particular user (e.g., xmodulo
):
$ sudo pam_tally2 -u xmodulo -r
This tutorial demonstrated how you can monitor SSH login activites and act on affected users using built-in PAM modules. You may also want to consider a complementary tool called fail2ban
especially if your SSH server is experiencing large-scale brute-force password guessing attacks. Unlike PAM, fail2ban
blocks malicious SSH logins at the network layer (via iptables
) and can automate banning/unbanning of offending IP addresses.
This website is made possible by minimal ads and your gracious donation via PayPal or credit card
Please note that this article is published by Xmodulo.com under a Creative Commons Attribution-ShareAlike 3.0 Unported License. If you would like to use the whole or any part of this article, you need to cite this web page at Xmodulo.com as the original source.
Xmodulo © 2021 ‒ About ‒ Write for Us ‒ Feed ‒ Powered by DigitalOcean