I'd very much likke to know how you learned about pam. Is there a good book somewhere? Vielen Dank :-) -- Time flies like the wind. Fruit flies like a banana. Stranger things have .0. happened but none stranger than this. Does your driver's license say Organ ..0 Donor?Black holes are where God divided by zero. Listen to me! We are all- 000 individuals! What if this weren't a hypothetical question? steveo at syslang.net
Am Do, den 29.07.2004 schrieb Jake McHenry um 18:18: > my server got hacked on monday I'm pretty sure, files were changed, rc.local and rc.sysinit > were over written. Anyways, is there a way that I can lock out the system after say 3 unsucessful > login attempts? This would be remotely only, so I can log in at the console to reenable remote logins? > Jake McHenry Hacked? Thats pretty bad. Did you use insecure passwords? Did you not keep your system up to date? I am highly interested on how an attacker could enter your system. If you are hacked, then there is no way around a clean new install! Don't try to find things changed - you won't find all backdoors. Yes, you can use PAM to limit the tries for logins. Patch your /etc/pam.d/system-auth file with $ diff -Nur /etc/pam.d/system-auth system-auth --- /etc/pam.d/system-auth 2004-05-30 19:05:10.000000000 +0200 +++ system-auth 2004-07-29 18:28:06.085452612 +0200 @@ -4,7 +4,9 @@ auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth required /lib/security/$ISA/pam_deny.so +auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root +account required /lib/security/$ISA/pam_tally.so deny=3 no_magic_root reset account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 account required /lib/security/$ISA/pam_unix.so You see it adds 2 lines. Make a copy of system-auth to a safe place, and do the changes with great care. You can either make the changes by hand or do it using the patch command: cd /etc/pam.d; cat /path/to/the/patch/from/above < patch -p1 Then run "touch /var/log/faillog; chmod 600 /var/log/faillog; chown root". Of course you must be root for all these steps. You can use the commands "faillog" and "pam_tally" to handle the restrictions with failed logins. Both commands let you show the number of failed logins per user account and let you reset the counter. Alexander -- Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13 Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.6-1.435.2.3.ad.umlsmp Serendipity 18:22:24 up 3 days, 3:29, load average: 0.82, 0.66, 0.43
Attachment:
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
-- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
