{"id":1038,"date":"2012-08-16T12:51:36","date_gmt":"2012-08-16T04:51:36","guid":{"rendered":"http:\/\/rmohan.com\/?p=1038"},"modified":"2012-08-16T12:51:36","modified_gmt":"2012-08-16T04:51:36","slug":"securing-sshd-on-centos-6","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=1038","title":{"rendered":"Securing SSHd on CentOS 6"},"content":{"rendered":"<p>CentOS6.0 no longer uses faillog for keeping track of failed login attempts. Here&#8217;s an easy way to get up login tracking, and SSH time outs for PCI compliance, or just for a nice secure system.<\/p>\n<p>Firstly you want to edit \/etc\/ssh\/sshd_config to set up a timeout for SSH. You want to change the following lines;<\/p>\n<div>\n<div id=\"highlighter_354811\">\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td>\n<div>1<\/div>\n<\/td>\n<td>\n<div>\n<div><code>ClientAliveCountMax 3<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>ClientAliveCountMax is how many concurrent connections each user can have.<\/p>\n<p>Then we want to edit \/etc\/pam.d\/system-auth and add this line to the top of the auth list;<\/p>\n<div>\n<div id=\"highlighter_669668\">\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td>\n<div>1<\/div>\n<\/td>\n<td>\n<div>\n<div><code>auth required pam_tally2.so deny=3 onerr=fail unlock_time=900<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>And then add this line to the top of the account list;<\/p>\n<div>\n<div id=\"highlighter_558474\">\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td>\n<div>1<\/div>\n<\/td>\n<td>\n<div>\n<div><code>account required pam_tally2.so<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>Restart the SSH Daemon, and now your users will be locked out if they have 3 failed password attempts. To reset this, you can simply run<\/p>\n<div>\n<div id=\"highlighter_916732\">\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td>\n<div>1<\/div>\n<\/td>\n<td>\n<div>\n<div><code>pam_tally2 -u $username --reset<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>Next you want to create \/etc\/profile.d\/autologout.sh and put the following lines in it<\/p>\n<div>\n<div id=\"highlighter_173970\">\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td>\n<div>1<\/div>\n<div>2<\/div>\n<div>3<\/div>\n<\/td>\n<td>\n<div>\n<div><code>TMOUT=300<\/code><\/div>\n<div><code>readonly<\/code> <code>TMOUT<\/code><\/div>\n<div><code>export<\/code> <code>TMOUT<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>Save that file and then<\/p>\n<div>\n<div id=\"highlighter_504973\">\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td>\n<div>1<\/div>\n<\/td>\n<td>\n<div>\n<div><code>chmod<\/code> <code>+x <\/code><code>\/etc\/profile<\/code><code>.d<\/code><code>\/autologout<\/code><code>.sh<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>This will log users out after 300 seconds (5 minutes). Relog and you can test this out yourself.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CentOS6.0 no longer uses faillog for keeping track of failed login attempts. Here&#8217;s an easy way to get up login tracking, and SSH time outs for PCI compliance, or just for a nice secure system.<\/p>\n<p>Firstly you want to edit \/etc\/ssh\/sshd_config to set up a timeout for SSH. You want to change the following lines;<\/p>\n<p> [&#8230;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/1038"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1038"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/1038\/revisions"}],"predecessor-version":[{"id":1039,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/1038\/revisions\/1039"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1038"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1038"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1038"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}