Security
To check the failed login attemtps
# lastb www ssh:notty 116.193.40.59 Thu Sep 20 06:46 - 06:46 (00:00) cyrus ssh:notty 116.193.40.59 Thu Sep 20 06:46 - 06:46 (00:00) cyrus ssh:notty 116.193.40.59 Thu Sep 20 06:46 - 06:46 (00:00)
lastb searches /var/log/btmp file for failed login attempts and the command may fail if /var/log/btmp file does not exist.
last command is used to list the list of last logged in users. It refers /var/log/wtmp file
To check the listing of last logged in users
# last reboot system boot 2.6.18-8.1.8.el5 Fri Sep 21 02:07 (09:44) reboot system boot 2.6.18-8.1.8.el5 Thu Sep 20 21:11 (14:40) root tty1 Thu Sep 6 19:26 - 19:26 (00:00)
Password aging Policies:
chage: used to chage the number of days between password changes and the date of the last password change. This information is used by the system to determine when a user must change her password
Usage: chage [-m mindays] [-M maxdays] [-d lastday] [-I inactive] [-E expiredate] [-W warndays] user
chage command can also be used to find out the last password change, password expiration date, numberdays between password channge, etc..
# chage -l root Last password change : Aug 18, 2005 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7
Set default password expiry policy for all new users
/etc/login.defs defines the password expiry policy for all the newly created users. The following policies can be defined in /etc/login.defs
# PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # MAIL_DIR # MAIL_FILE # UID_MIN Minimum UID number to use for new users # UID_MAX Maximum UID number to use for new users # GID_MIN Minimum GID number to use for new Groups # GID_MAX Maximum GID number to use for new Groups # CREATE_HOME yes If useradd should create home directories for users by default # UMASK 077 # ENCRYPT_METHOD MD5
Setting limits to each user using pam
Limits can be set to each user by modifying /etc/security/limits.conf file. This file is the configuration file for the pam_limits module.
oracle soft nproc 2047 ## Max. Number of Processes oracle hard nproc 16384 oracle soft nofile 1024 ## Max. Number of open files oracle hard nofile 65536
The following line need to be added to /etc/pam.d/login file the limits to take effect
session required pam_limits.so
To limit the root logins:
Add all the ttys from where you want to login directly as root to /etc/securetty file. The /etc/securetty file governs the consoles from where you can log into Linux as the root user.
Setting Password Complexity Rules
Both pam_cracklib and pam_passwdqc are modules used in enforcing password length and complexity, though pam_passwordqc is more powerful.
TO Set the password complexity with the following rules,
- Minimum password lenth 8 characters (minlen)
- Minimum one lower case letter (lcredit)
- Minimum one Upper case letter (ucredit)
- Minimum one numeric character (dcredit)
- Mimimum one special character (ocredit)
- Minimum theree different characters from previous passwd (diffok)
Edit the /etc/pam.d/system-auth like bellow line
password requisite pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 diffok=-3
In the above line, "retry=3" means that users get three chances to pick a good password before the passwd program aborts.
Password History
pam_cracklib is capable of consulting a user's password "history" and not allowing them to re-use old passwords. However, the functionality for actually storing the user's old passwords is enabled via the pam_unix module.
The first step is to create an empty /etc/security/opasswd file for storing old user passwords. If you forget to do this before enabling the history feature in the PAM configuration file, then all user password updates will fail because the pam_unix module will constantly be returning errors from the password history code due to the file being missing.
Treat your opasswd file like your /etc/shadow file because it will end up containing user password hashes (albeit for old user passwords that are no longer in use):
# touch /etc/security/opasswd # chown root:root /etc/security/opasswd # chmod 600 /etc/security/opasswd
Once you've got the opasswd file set up, enable password history checking by adding the option "remember=<x>" to the pam_unix configuration line in the /etc/pam.d/system-auth (/etc/pam.d/common-password in debian)file. The value of the "remember" parameter is the number of old passwords you want to store for a user.
password requisite pam_cracklib.so retry=3 minlen=6 lcredit=-1 ucredit=-1 ocredit=-1 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=5 password required pam_cracklib.so retry=3 minlen=12 difok=4 password required pam_unix.so md5 remember=12 use_authtok
Once you've enabled password history, the opasswd file starts filling up with user entries that look like this:
user1:1000:<n>:<hash1>,<hash2>,...,<hashn>
The first two fields are the username and user ID. The <n> in the third field represents the number of old passwords currently being stored for the user--this value is incremented by one every time a new hash is added to the user's password history until <n> ultimately equals the value of the "remember" parameter set on the pam_unix configuration line. <hash1>,<hash2>,...,<hashn> are actually the MD5 password hashes for the user's old passwords.
Password Expiration
At this point you may be wondering how to get the system to automatically force users to change their password after some period of time. This is not actually the job of pam_cracklib. Instead, these parameters are set in the /etc/login.defs file on most Linux systems. PASS_MAX_DAYS is how often users have to change their passwords. PASS_MIN_DAYS is how long a user is forced to live with their new password before their allowed to change it again. PASS_WARN_AGE is the number of days before the password expiration date that the user is warned that their password is about to expire. The choice of values for these parameters is entirely dependent on site policy. Note that these parameters are only applied to new accounts created with the default system useradd program.
Account Lockout
Account lockout after a number of unsuccessful authentication attempts may be enabled using pam_tally. In this example, accounts are locked out after 5 failed login attempts. Twice an hour, the failed login counter is reset. The failed login counter is also reset with each successful authentication (reset option in PAM configuration).
Create the pam_tally store for failed login attempts.
# touch /var/log/faillog # chown root:root /var/log/faillog # chmod 600 /var/log/faillog
Add the red lines to /etc/pam.d/system-auth file as shown bellow
auth required pam_env.so auth required pam_tally.so onerr=fail deny=5 unlock_time=1800 auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so account required pam_tally.so
The pam_tally options are:
- onerr=[fail|succeed] --->If something weird happens (like unable to open the file), return with PAM_SUCESS if onerr=succeed is given, else with the corresponding PAM error code.
- deny=n ---> Deny access if tally for this user exceeds n.
- lock_time=n ---> Always deny for n seconds after failed attempt.
- unlock_time=n ---> Allow access after n seconds after failed attempt. If this option is used the user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts. Otherwise the account is locked until the lock is removed by a manual intervention of the system administrator.
Unlock user account / Reset tally count
The users locked by tally can be unlocked or tally count can be reset using pam_tally command.
pam_tally [--file /path/to/counter] [--user username] [--reset[=n]] [--quiet] # pam_tally User user1 (500) has 8 # pam_tally --user user1 --reset User user1 (500) had 8 # pam_tally --user user1 --reset=3 # pam_tally --user user1 --reset=2 User user1 (500) had 0 # aemsapa5:/etc/pam.d # pam_tally User user1 (500) has 2
RHEL 3/4 Example
auth required /lib/security/$ISA/pam_env.so auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account required /lib/security/$ISA/pam_permit.so account required /lib/security/$ISA/pam_tally.so deny=5 no_magic_root reset
- pam_tally on RHEL 3/4 does not support the unlock_time parameter.
pam_passwdqc module is used to set the passwd complexity
http://www.openwall.com/passwdqc/
http://www.brandonhutchinson.com/wiki/Linux_Password_Policy
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_cracklib.html
http://www.cyberciti.biz/tips/lock-unlock-set-number-of-login-attempts.html
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/security-guide/s1-wstation-pass.htmlhttp://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/security-guide/s1-wstation-pass.html