Detect and Handle Failed Logins through SSH
To prevent brute force-based break-in attacks into Unix systems, for Unix provides detection of the failed user logons on a host and revocation of the user ID.
capamsc141
To prevent brute force-based break-in attacks into Unix systems,
PAM Server Control
for Unix provides detection of the failed user logons on a host and revocation of the user ID. The
module facilitates revocation and optional subsequent re-enablement of a revoked user ID.
serevu
This topic describes how to configure
PAM Server Control
to detect and handle failed logins occurred on SSH. This topic also helps you understand the data flow between failed logins through SSH, PAM (Pluggable Authentication Modules), seosd, and
serevu
.Follow these steps:
- Configure themodule to detect failed logins occurred through applications that use PAM. PAM is the default authentication subsystem on Unix-flavors.serevuTo allowto work with PAM, set the following token in the seos.ini configuration file:serevu[pam_seos]serevu_use_pam_seos = yes
- To configureto use PAM for authentication, set the following token in /etc/opt/ssh/sshd_config:sshdUsePAM yesThis configuration allows the daemonsshdto signal the PAM system that a failed login occurred.
- Add the following line to /etc/pam.conf to ensurePAM Server Controlis set up to intercept PAM signals coming from sshd.sshd auth optional /usr/lib/security/pam_seos.sl
- Ensure that the localseosdbholds aloginapplrecord for thesshd. Add the following lines in Selang:PAMSC> nr loginappl SSHD loginpath(/usr/sbin/sshd) loginseq(SGRP SUID) defaccess(x)You can now find any failed logins done on an SSH client in the file: /opt/CA/PAMSC/log/pam_seos_failed_logins.logWith this configuration done, the data flows as follows:
- sshdsignals PAM that a failed login occurred.
- PAM Server Controlintercepts this PAM signal and writes information into the pam_seos_failed_logins.log.
- serevuperiodically scans that log and acts accordingly.
- The number of failed logins each user is entitled to before being revoked can be set in seos.ini.[serevu]def_fail_count = 3
- To startupserevuautomatically uponseload, add the following code to seos.ini:[daemons]<>serevu = yes