PAM offers very powerful authentication control. You need to use
the pam_access PAM module, which is mainly for access
management. It provides login access control based on
§ Login names
§ Host or domain names
§ Internet addresses or network IP
numbers
§ Terminal line names etc
2. Why pam_access
matters?
On a production
server, authorized login can come from any networked computer. Therefore, it is
important to have tight control over users who are allowed to connect server
via OpenSSH server.
3. How do I configure pam_access?
You need to edit following files:
1. /etc/pam.d/sshd – Linux PAM configuration file.
2. /etc/security/access.conf – By default rules for access
management are taken from configuration this file. When someone logs in, the
entry in this scanned and matched against rule. You can specify whether the
login will be accepted or refused to user. General syntax is as follows:
permission : username: origins
permission : username: origins
Where,
§ permission : Permission field should
be a “+” (access granted) or “-” (access denied) character.
§ username : Linux system
username/login name such as root, shashi etc. You can also specify group names.
You can also use special keywod ALL (to match all username).
§ origins : It is a list of one ore
more tty names, host name, IP address, domain names that begin with . or
special key words ALL or LOCAL
Open /etc/pam.d/sshd file :-
# vim /etc/pam.d/sshd
account required
pam_access.so
auth required pam_sepermit.so
root and shashi user only login in ssh and only one IP
allow 192.168.1.150
4.Open file /etc/security/access.conf
# vi
/etc/security/access.conf
Append
following line:
+:
ALL EXCEPT root shashi:192.168.1.150
5. Restart SSH Services.
#/etc/init.d/sshd
restart
Check
ssh services.
Other
IP not able to login ssh server.
Some
RULE PAM :-
1. Block
All network with user :-
-:ALL : ALL
2. Only
user allow on network :-
+:shashi:192.168.1.0/24
OR
+:shashi:192.168.1.150
3. Normal
user not able to access root su – command.
/etc/pam.d/su
#
Uncomment the following line to require a user to be in the "wheel"
group.
auth required pam_wheel.so use_uid
Some
Normal user use su root access :-
# usermod -G wheel user1
# cat /etc/group | grep user1
Wheel:x:10:user1
User1:x:501:
# tail –f /var/log/secure
2. Use of X11Forwarding
The display server on the client might have a higher exposure to be attacked, when enabling this option. If forwarding of X11 traffic is not needed, disable it by setting this value to “no”.
X11Forwarding no
3. Disable rhosts
While not common anymore, rhosts were a weak way to authenticate systems. By default the use of rhosts is already disabled. Make sure to check if it really is.
IgnoreRhosts yes
4. DNS hostname checking
By default the SSH server can check if the client connecting maps back to the same combination of hostname and IP address. Use this option to perform this basic check.
UseDNS yes
5. Disable Empty Passwords
You need to explicitly disallow remote login from accounts with empty passwords, update sshd_config with the following line:
PermitEmptyPasswords no
6. Disable root Login via SSH
Uncomment it and change the value to “no”:
PermitRootLogin no
7. Change Port no 22 in file /etc/ssh/sshd_config
#Port 22
Port 8022
netstat -anp |grep 8022
8.Configure Idle user Log Out Timeout Interval
ClientAliveInterval 300
ClientAliveCountMax 0
You are setting an idle timeout interval in seconds (300 secs = 5 minutes). After this interval has passed, the idle user will be automatically kicked out (read as logged out).
9.Only allow root, vivek and jerry user to use the system via SSH, add the following to sshd_config:
AllowUsers root vivek jerry
DenyUsers saroj anjali foo
10. Only use SSH Protocol 2
Since SSH protocol 1 is insecure we need to force SSH server to always use protocol 2
i) Strong cryptographic integrity check
ii) Separate transport, authentication, and connection protocols
Protocol 2
11.Change SSH Server Listen Address
By default SSH Server listens on all available interfaces which is in some cases not OK. It is always best, to limit SSH server to listen only on interfaces we want and use for to connect to.
(we can access ssh this two ip)
ListenAddress 192.168.1.5 # System IP
ListenAddress 202.54.1.5 #VIP
# netstat -anp |grep 22
12.Max Authentication Tries
MaxAuthTries 4
13. Log All Information
LogLevel INFO
14.Message Of The Day
Banner /etc/motd
How to
block ssh users after 3 failed login attempts using pam_tally2.so
3.
Edit /etc/pam.d/sshd
auth required pam_tally2.so deny=3 onerr=fail unlock_time=300
4.
pam_tally2.so uses the file /var/log/tallylog
as a counter for the failed logis, if you wish to check the counter you can use
the command pam_tally2
[root@nuke]# pam_tally2
5. If
you wish to reset the counter for a user, before the 5 minutes ban
#
pam_tally2 -r -u hacker1
No comments:
Post a Comment