Security

To check the failed login attemtps

 # lastb
 www      ssh:notty    116.193.40.59    Thu Sep 20 06:46 - 06:46  (00:00)
 cyrus    ssh:notty    116.193.40.59    Thu Sep 20 06:46 - 06:46  (00:00)
 cyrus    ssh:notty    116.193.40.59    Thu Sep 20 06:46 - 06:46  (00:00)

lastb searches /var/log/btmp file for failed login attempts and the command may fail if /var/log/btmp file does not exist.

Another command to test the failed login attempts

# faillog -a
Login       Failures Maximum 		Latest   	On

root          0        0          	12/31/69 	16:00:00 -0800
bin           0        0            12/31/69    16:00:00 -0800
daemon        0        0            12/31/69    16:00:00 -0800 
faillog --help
Usage: faillog [options]

Options:
  -a, --all			display faillog records for all users
  -h, --help			display this help message and exit
  -l, --lock-time SEC		after failed login lock accout to SEC seconds
  -m, --maximum MAX		set maximum failed login counters to MAX
  -r, --reset			reset the counters of login failures
  -t, --time DAYS		display faillog records more recent than DAYS
  -u, --user LOGIN		display faillog record or maintains failure counters
				and limits (if used with -r, -m or -l options) only
				for user with LOGIN

last command is used to list the list of last logged in users. It refers /var/log/wtmp file

To check the listing of last logged in users

 # last 
 reboot   system boot  2.6.18-8.1.8.el5 Fri Sep 21 02:07          (09:44)
 reboot   system boot  2.6.18-8.1.8.el5 Thu Sep 20 21:11          (14:40)
 root     tty1                          Thu Sep  6 19:26 - 19:26  (00:00)

Password aging Policies:

chage: used to chage the number of days between password changes and the date of the last password change. This information is used by the system to determine when a user must change her password

Usage: chage [-m mindays] [-M maxdays] [-d lastday] [-I inactive] [-E expiredate] [-W warndays] user

chage command can also be used to find out the last password change, password expiration date, numberdays between password channge, etc..

  # chage -l root
  Last password change                                    : Aug 18, 2005
  Password expires                                        : never
  Password inactive                                       : never
  Account expires                                         : never
  Minimum number of days between password change          : 0
  Maximum number of days between password change          : 99999
  Number of days of warning before password expires       : 7

Set default password expiry policy for all new users
/etc/login.defs defines the password expiry policy for all the newly created users. The following policies can be defined in /etc/login.defs

 #   PASS_MAX_DAYS   Maximum number of days a password may be used.
 #   PASS_MIN_DAYS   Minimum number of days allowed between password changes.
 #   PASS_MIN_LEN    Minimum acceptable password length.
 #   PASS_WARN_AGE   Number of days warning given before a password expires.
 #   MAIL_DIR 
 #   MAIL_FILE
 #   UID_MIN            Minimum UID number to use for new users
 #   UID_MAX            Maximum UID number to use for new users
 #   GID_MIN            Minimum GID number to use for new Groups
 #   GID_MAX            Maximum GID number to use for new Groups
 #   CREATE_HOME yes    If useradd should create home directories for users by default
 #   UMASK 077
 #   ENCRYPT_METHOD MD5

Setting limits to each user using pam
Limits can be set to each user by modifying /etc/security/limits.conf file. This file is the configuration file for the pam_limits module.

 oracle              soft    nproc   2047           ## Max. Number of Processes
 oracle              hard    nproc   16384
 oracle              soft    nofile  1024          ## Max. Number of open files
 oracle              hard    nofile  65536

The following line need to be added to /etc/pam.d/login file the limits to take effect

 session    required     pam_limits.so

To limit the root logins:
Add all the ttys from where you want to login directly as root to /etc/securetty file. The /etc/securetty file governs the consoles from where you can log into Linux as the root user.

Setting Password Complexity Rules

Both pam_cracklib and pam_passwdqc are modules used in enforcing password length and complexity, though pam_passwordqc is more powerful.

TO Set the password complexity with the following rules,

  1. Minimum password lenth 8 characters (minlen)
  2. Minimum one lower case letter (lcredit)
  3. Minimum one Upper case letter (ucredit)
  4. Minimum one numeric character (dcredit)
  5. Mimimum one special character (ocredit)
  6. Minimum theree different characters from previous passwd (diffok)

Edit the /etc/pam.d/system-auth like bellow line

 password    requisite     pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 diffok=-3

In the above line, "retry=3" means that users get three chances to pick a good password before the passwd program aborts.

Password History

pam_cracklib is capable of consulting a user's password "history" and not allowing them to re-use old passwords. However, the functionality for actually storing the user's old passwords is enabled via the pam_unix module.

The first step is to create an empty /etc/security/opasswd file for storing old user passwords. If you forget to do this before enabling the history feature in the PAM configuration file, then all user password updates will fail because the pam_unix module will constantly be returning errors from the password history code due to the file being missing.

Treat your opasswd file like your /etc/shadow file because it will end up containing user password hashes (albeit for old user passwords that are no longer in use):

 # touch /etc/security/opasswd
 # chown root:root /etc/security/opasswd
 # chmod 600 /etc/security/opasswd

Once you've got the opasswd file set up, enable password history checking by adding the option "remember=<x>" to the pam_unix configuration line in the /etc/pam.d/system-auth (/etc/pam.d/common-password in debian)file. The value of the "remember" parameter is the number of old passwords you want to store for a user.

 password    requisite      pam_cracklib.so retry=3 minlen=6 lcredit=-1 ucredit=-1 ocredit=-1
 password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=5

 password required pam_cracklib.so retry=3 minlen=12 difok=4
 password required pam_unix.so md5 remember=12 use_authtok

Once you've enabled password history, the opasswd file starts filling up with user entries that look like this:

 user1:1000:<n>:<hash1>,<hash2>,...,<hashn>

The first two fields are the username and user ID. The <n> in the third field represents the number of old passwords currently being stored for the user--this value is incremented by one every time a new hash is added to the user's password history until <n> ultimately equals the value of the "remember" parameter set on the pam_unix configuration line. <hash1>,<hash2>,...,<hashn> are actually the MD5 password hashes for the user's old passwords.

Password Expiration

At this point you may be wondering how to get the system to automatically force users to change their password after some period of time. This is not actually the job of pam_cracklib. Instead, these parameters are set in the /etc/login.defs file on most Linux systems. PASS_MAX_DAYS is how often users have to change their passwords. PASS_MIN_DAYS is how long a user is forced to live with their new password before their allowed to change it again. PASS_WARN_AGE is the number of days before the password expiration date that the user is warned that their password is about to expire. The choice of values for these parameters is entirely dependent on site policy. Note that these parameters are only applied to new accounts created with the default system useradd program.

Account Lockout

Account lockout after a number of unsuccessful authentication attempts may be enabled using pam_tally. In this example, accounts are locked out after 5 failed login attempts. Twice an hour, the failed login counter is reset. The failed login counter is also reset with each successful authentication (reset option in PAM configuration).

Create the pam_tally store for failed login attempts.

 # touch /var/log/faillog
 # chown root:root /var/log/faillog
 # chmod 600 /var/log/faillog

Add the red lines to /etc/pam.d/system-auth file as shown bellow

 auth        required      pam_env.so
 auth        required      pam_tally.so onerr=fail deny=5 unlock_time=1800
 auth        sufficient    pam_unix.so nullok try_first_pass
 auth        requisite     pam_succeed_if.so uid >= 500 quiet
 auth        required      pam_deny.so

 account     required      pam_unix.so
 account     sufficient    pam_succeed_if.so uid < 500 quiet
 account     required      pam_permit.so
 account     required      pam_tally.so

The pam_tally options are:

  • onerr=[fail|succeed] --->If something weird happens (like unable to open the file), return with PAM_SUCESS if onerr=succeed is given, else with the corresponding PAM error code.
  • deny=n ---> Deny access if tally for this user exceeds n.
  • lock_time=n ---> Always deny for n seconds after failed attempt.
  • unlock_time=n ---> Allow access after n seconds after failed attempt. If this option is used the user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts. Otherwise the account is locked until the lock is removed by a manual intervention of the system administrator.

Unlock user account / Reset tally count
The users locked by tally can be unlocked or tally count can be reset using pam_tally command.

 pam_tally [--file /path/to/counter] [--user username] [--reset[=n]] [--quiet]

 # pam_tally
 User user1   (500)   has 8
 # pam_tally --user user1 --reset   
 User user1   (500)   had 8
 # pam_tally --user user1 --reset=3

 # pam_tally --user user1 --reset=2
 User user1   (500)   had 0
 # aemsapa5:/etc/pam.d # pam_tally
 User user1   (500)   has 2

RHEL 3/4 Example

 auth        required      /lib/security/$ISA/pam_env.so
 auth        required      /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
 auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
 auth        required      /lib/security/$ISA/pam_deny.so

 account     required      /lib/security/$ISA/pam_unix.so
 account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
 account     required      /lib/security/$ISA/pam_permit.so
 account     required      /lib/security/$ISA/pam_tally.so deny=5 no_magic_root reset
  • pam_tally on RHEL 3/4 does not support the unlock_time parameter.

pam_passwdqc module is used to set the passwd complexity
http://www.openwall.com/passwdqc/

http://www.brandonhutchinson.com/wiki/Linux_Password_Policy
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_cracklib.html
http://www.cyberciti.biz/tips/lock-unlock-set-number-of-login-attempts.html
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/security-guide/s1-wstation-pass.htmlhttp://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/security-guide/s1-wstation-pass.html