CentOS6.0 no longer uses faillog for keeping track of failed login attempts. Here’s an easy way to get up login tracking, and SSH time outs for PCI compliance, or just for a nice secure system.
Firstly you want to edit /etc/ssh/sshd_config to set up a timeout for SSH. You want to change the following lines;
|
1
|
ClientAliveCountMax 3 |
ClientAliveCountMax is how many concurrent connections each user can have.
Then we want to edit /etc/pam.d/system-auth and add this line to the top of the auth list;
|
1
|
auth required pam_tally2.so deny=3 onerr=fail unlock_time=900 |
And then add this line to the top of the account list;
|
1
|
account required pam_tally2.so |
Restart the SSH Daemon, and now your users will be locked out if they have 3 failed password attempts. To reset this, you can simply run
|
1
|
pam_tally2 -u $username --reset |
Next you want to create /etc/profile.d/autologout.sh and put the following lines in it
|
1
2
3
|
TMOUT=300readonly TMOUTexport TMOUT |
Save that file and then
|
1
|
chmod +x /etc/profile.d/autologout.sh |
This will log users out after 300 seconds (5 minutes). Relog and you can test this out yourself.
Recent Comments