If you are a web hosting administrator or a Linux security technician, you probably need to closely monitor ssh login activities, especially failed login attempts. Linux has Pluggable Authentication Modules (PAM) built-in, offering configurable authorization for Linux applications and services. You can use PAM to monitor failed ssh login attempts, and act on them (e.g., blocking user).
In this tutorial, I will show how to configure PAM to monitor failed ssh login attempts on CentOS. Depending on the CentOS version you are using, PAM configuration is slightly different.
Configure PAM on CentOS 5
To keep track of failed ssh logins on CentOS 5.*, you need to use a PAM module called pam_tally.so. For that, modify /etc/pam.d/system-auth as follows.
auth required pam_tally.so no_magic_root account required pam_tally.so deny=3 no_magic_root lock_time=300
The above PAM configuration denies ssh access for a user if the user has failed to log in three times. The user becomes unblocked after 300 seconds.
Once PAM is configured, use a command called faillog to monitor the ssh login activity of a specific user (e.g., xmodulo):
Login Failures Maximum Latest On xmodulo 2 0 04/23/13 14:12:53 192.168.1.5
To reset the counter of failures for a particular user (e.g., xmodulo):
Configure PAM on CentOS 6
To check failed ssh login attempts on CentOS 6.*, you need to use a PAM module called pam_tally2.so. To configure pam_tally2.so, modify /etc/pam.d/password-auth as below.
auth required pam_tally2.so deny=3 onerr=fail unlock_time=300 account required pam_tally2.so
This PAM configuration blocks ssh login for a particular user after three failed login attempts from the user. The user remains blocked for 300 seconds.
Once PAM is configured like above, use a command called pam_tally2 to monitor the ssh login activity of a particular user (e.g., xmodulo).
Login Failures Latest failure From xmodulo 2 04/23/13 22:44:45 192.168.1.5
To unblock a particular user (e.g., xmodulo):
Subscribe to Xmodulo
Do you want to receive Linux FAQs, detailed tutorials and tips published at Xmodulo? Enter your email address below, and we will deliver our Linux posts straight to your email box, for free. Delivery powered by Google Feedburner.
After I added these line to password-auth:
auth required pam_tally2.so deny=3 onerr=fail unlock_time=300
account required pam_tally2.so
I cannot access to my server anymore. Every time I ssh to server, "Connection closed by [HOST IP]" appear. What should I do now? thanks
Hi Dan,
I added the said lines on Centos 6. After configuring password-auth, i tried to login 4 times with wrong password and then gave the right one. I was able to login successfully with the message displayed as "Account locked due to 5 failed logins". Shouldn't that lock the account for the set time period?
It should lock the account upon the fifth straight error.
I've setted password-auth like you advice:
1 #%PAM-1.0
2 # This file is auto-generated.
3 # User changes will be destroyed the next time authconfig is run.
4 auth required pam_env.so
5 auth sufficient pam_unix.so nullok try_first_pass
6 auth requisite pam_succeed_if.so uid >= 500 quiet
7 auth required pam_deny.so
8 auth required pam_tally2.so file=/var/log/tallylog deny=3 even_deny_root unlock_time=20 onerr=fail
9
10 account required pam_unix.so
11 account sufficient pam_localuser.so
12 account sufficient pam_succeed_if.so uid < 500 quiet
13 account required pam_permit.so
14 account required pam_tally2.so
15
16 password requisite pam_cracklib.so try_first_pass retry=3 type=
17 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
18 password required pam_deny.so
19
20 session optional pam_keyinit.so revoke
21 session required pam_limits.so
22 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
23 session required pam_unix.so
24
but when I try to connect with false password then I have to type for 5 times and not 3, why?
I add that I don't wait 20 seconds in order to retry, but I can to retry at once, why?
thanks