Menu

  • Home
  • About
  • Linux Q & A
  • List
  • Write for Us
  • Advertise
  • Contact

Xmodulo

Linux FAQs, tips and tutorials

How to monitor failed ssh login attempts on CentOS

Last updated on April 26, 2013 Authored by Dan Nanni 4 Comments

If you are a web hosting administrator or a Linux security technician, you probably need to closely monitor ssh login activities, especially failed login attempts. Linux has Pluggable Authentication Modules (PAM) built-in, offering configurable authorization for Linux applications and services. You can use PAM to monitor failed ssh login attempts, and act on them (e.g., blocking user).

In this tutorial, I will show how to configure PAM to monitor failed ssh login attempts on CentOS. Depending on the CentOS version you are using, PAM configuration is slightly different.

Configure PAM on CentOS 5

To keep track of failed ssh logins on CentOS 5.*, you need to use a PAM module called pam_tally.so. For that, modify /etc/pam.d/system-auth as follows.

$ sudo vi /etc/pam.d/system-auth
auth required pam_tally.so no_magic_root
account required pam_tally.so deny=3 no_magic_root lock_time=300

The above PAM configuration denies ssh access for a user if the user has failed to log in three times. The user becomes unblocked after 300 seconds.

Once PAM is configured, use a command called faillog to monitor the ssh login activity of a specific user (e.g., xmodulo):

$ sudo faillog -u xmodulo
Login       Failures Maximum Latest             On
xmodulo         2        0   04/23/13 14:12:53  192.168.1.5

To reset the counter of failures for a particular user (e.g., xmodulo):

$ sudo faillog -r -u xmodulo

Configure PAM on CentOS 6

To check failed ssh login attempts on CentOS 6.*, you need to use a PAM module called pam_tally2.so. To configure pam_tally2.so, modify /etc/pam.d/password-auth as below.

$ sudo vi /etc/pam.d/password-auth
auth required pam_tally2.so deny=3 onerr=fail unlock_time=300
account required pam_tally2.so

This PAM configuration blocks ssh login for a particular user after three failed login attempts from the user. The user remains blocked for 300 seconds.

Once PAM is configured like above, use a command called pam_tally2 to monitor the ssh login activity of a particular user (e.g., xmodulo).

$ sudo pam_tally2 -u xmodulo
Login           Failures Latest failure     From
xmodulo             2    04/23/13 22:44:45  192.168.1.5

To unblock a particular user (e.g., xmodulo):

$ sudo pam_tally2 -u xmodulo -r

Subscribe to Xmodulo

Do you want to receive Linux FAQs, detailed tutorials and tips published at Xmodulo? Enter your email address below, and we will deliver our Linux posts straight to your email box, for free. Delivery powered by Google Feedburner.


Support Xmodulo

Did you find this tutorial helpful? Then please be generous and support Xmodulo!

The following two tabs change content below.
  • Bio
  • Latest Posts
My Twitter profileMy Facebook profileMy Google+ profileMy LinkedIn profile

Dan Nanni

Dan Nanni is the founder and also a regular contributor of Xmodulo.com. He is a Linux/FOSS enthusiast who loves to get his hands dirty with his Linux box. He likes to procrastinate when he is supposed to be busy and productive. When he is otherwise free, he likes to watch movies and shop for the coolest gadgets.
My Twitter profileMy Facebook profileMy Google+ profileMy LinkedIn profile

Latest posts by Dan Nanni (see all)

  • How to open a TCP/UDP socket in a bash shell - May 24, 2016
  • How to enable incremental file sync for many users on Linux - April 24, 2016
  • How to build a kernel module with DKMS on Linux - April 8, 2016
    • Tweet

    Related FAQs:

    • How to secure SSH login with one-time passwords on Linux
    • How to diff remote files over SSH
    • How to specify a private key file in ssh
    • How to set up a transparent HTTPS filtering proxy on CentOS
    • How to monitor user login history on CentOS with utmpdump

    Categories: CentOS, Security

    Tags: login, pam, ssh

    4 thoughts on “How to monitor failed ssh login attempts on CentOS”

    1. Reply
      Quan Vo on October 1, 2013 at 7:22 am said:

      After I added these line to password-auth:

      auth required pam_tally2.so deny=3 onerr=fail unlock_time=300
      account required pam_tally2.so

      I cannot access to my server anymore. Every time I ssh to server, "Connection closed by [HOST IP]" appear. What should I do now? thanks

    2. Reply
      Henry on November 13, 2013 at 7:32 am said:

      Hi Dan,
      I added the said lines on Centos 6. After configuring password-auth, i tried to login 4 times with wrong password and then gave the right one. I was able to login successfully with the message displayed as "Account locked due to 5 failed logins". Shouldn't that lock the account for the set time period?

      • Reply
        Dan Nanni on November 13, 2013 at 8:45 pm said:

        It should lock the account upon the fifth straight error.

    3. Reply
      oscar on January 7, 2014 at 9:17 pm said:

      I've setted password-auth like you advice:

      1 #%PAM-1.0
      2 # This file is auto-generated.
      3 # User changes will be destroyed the next time authconfig is run.
      4 auth required pam_env.so
      5 auth sufficient pam_unix.so nullok try_first_pass
      6 auth requisite pam_succeed_if.so uid >= 500 quiet
      7 auth required pam_deny.so
      8 auth required pam_tally2.so file=/var/log/tallylog deny=3 even_deny_root unlock_time=20 onerr=fail
      9
      10 account required pam_unix.so
      11 account sufficient pam_localuser.so
      12 account sufficient pam_succeed_if.so uid < 500 quiet
      13 account required pam_permit.so
      14 account required pam_tally2.so
      15
      16 password requisite pam_cracklib.so try_first_pass retry=3 type=
      17 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
      18 password required pam_deny.so
      19
      20 session optional pam_keyinit.so revoke
      21 session required pam_limits.so
      22 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
      23 session required pam_unix.so
      24

      but when I try to connect with false password then I have to type for 5 times and not 3, why?
      I add that I don't wait 20 seconds in order to retry, but I can to retry at once, why?
      thanks

    Leave a comment Cancel reply

    Your email address will not be published. Required fields are marked *

    « How to change IP address after OpenStack installation via devstack
    How to parse JSON string in Perl »

    Linux FAQ categories

    • Amazon AWS
    • Android
    • Arch Linux
    • Audio
    • Business
    • CentOS
    • Chromium OS
    • Cisco
    • Cloud Services
    • CloudStack
    • Databases
    • Debian
    • Desktop
    • Development
    • Editors
    • Fedora
    • Filesystem
    • Games
    • Google
    • Graphics
    • Hadoop
    • Hardware
    • Java
    • Kernel
    • KVM
    • Lightweight Linux
    • Linux Mint
    • Math
    • Networking
    • Open vSwitch
    • OpenStack
    • OpenWRT
    • Perl
    • PHP
    • Productivity
    • Publishing
    • Python
    • Raspberry Pi
    • Security
    • Shells
    • System
    • System Administration
    • Ubuntu
    • Utilities
    • Video
    • VirtualBox
    • Virtualization
    • VMware
    • Vyatta
    • Web
    • Windows Azure
    • Xen
    • XenServer

    Subscribe to daily Linux FAQ tips

    • SSD virtual server for $5/mon
    Commission-free cryptocurrency and stock trading

    Related Linux FAQs

    How to scan Linux for vulnerabilities with lynis
    How to suspend ssh session in Linux
    How to set up Samba as a Primary Domain Controller
    How to set up two-factor authentication for SSH login on Linux
    What are useful CLI tools for Linux system admins
    How to configure rsyslog client for remote logging on CentOS

    RSS Ask Xmodulo

    • How to find network card driver name and version on Linux
    • How to export Robinhood transaction data
    • How to access shell environment variables in Perl script
    • How to check if AES-NI is enabled for OpenSSL on Linux
    • How to extract files from an RPM package on Linux
    • How to install a device driver for Mellanox ConnectX-4 Ethernet card on Linux
    • How to fix “configure: error: pcre.h not found”
    • How to enable and use logging module in Python
    • How to remove all network namespaces at once on Linux
    • How to plot a bar graph on Gnuplot

    RSS Xmodulo List

    • Kryo
    • Apache Maven
    • Graphite
    • Cool Reader
    • netdata
    • Anjuta
    • ClamAV
    • GNU Octave
    • Audacity
    • CodeLite
    SSD virtual servers starting from $5/mon
    • About
    • Advertise
    • Write for Us
    • Contact

    Hosted by Stablehost