PDA

View Full Version : display x failed login attempts since last successful login



todd_dsm
02-May-2014, 16:35
Hey guys, I've have a specific customer requirement:
"The system must display the number of unsuccessful login attempts since the last successful login for a user account upon logging in."


There are many posts out there but they tend to vary greatly and my preference is to use the community-supported/endorsed method. Other considerations would be:

Users will only login via ssh/console;
# cat /etc/securetty
...
console
ttyS0
ttyS1
---

I'm terrible with PAMs and the common paths to achieve this are just confusing me. Any direction would be appreciated.

TT

mikewillis
03-May-2014, 11:08
Hey guys, I've have a specific customer requirement:
"The system must display the number of unsuccessful login attempts since the last successful login for a user account upon logging in."



I've never implemented this myself, but openSUSE 13.1 does this for ssh logins and this and I just replicated it for on SLED 11 SP3. (I don't have access to a SLES 11 SP3 install where I can mess with pam right now, if it works on SLED it'll work on SLES. Though you do not indicate which version of SLES you are using.) Add this to the end of /etc/pam.d/sshd


session optional pam_lastlog.so silent noupdate showfailed
I also had to manually create /var/log/btmp


$ touch /var/log/btmp
$ chmod 600 /var/log/btmp

As for non-graphical console logins, those which are handled by /etc/pam.d/login, openSUSE doesn't display failed attempts for such logins and I can't make SLED do it either. pam_lastlog is already mentioned in /etc/pam.d/login on both SLED 11 SP3 and SLES 11 SP3


session optional pam_lastlog.so nowtmp

Adding 'showfailed' doesn't result in desired behaviour. Failed logins don't cause /var/log/btmp to be modified.


Section 3.33.3 of
https://www.suse.com/documentation/sles11/singlehtml/book_hardening/book_hardening.html
describes usage of pam_tally to record failed logins and faillog to display info about them. The tricky part would be getting the info displayed when someone logs in. You can't just call faillog in /etc/profile.local or similar because faillog can only be run by root. It might be possible to call a script with pam_exec which runs faillog as root to get info for $PAM_USER, though it might fiddly to get it to display. pam_exec has a stdout option but I can only make that produce an error. The script could dump the info to a file and give the user logging in read permission then it's contents could be displayed via some other means. Inelegant though. If you need the information to be displayed for graphical logins, that might require an additional method.





Users will only login via ssh/console;
# cat /etc/securetty
...
console
ttyS0
ttyS1
---

I'm not clear if this is something you're stating is already in place or something you're looking for help with. Also that doesn't look like valid contents of an /etc/securetty file. This is what it looks like on one of my SLES 11 SP3 installs

me@mine:~> cat /etc/securetty
#
# This file contains the device names of tty lines (one per line,
# without leading /dev/) on which root is allowed to login.
#
tty1
tty2
tty3
tty4
tty5
tty6
me@mine:~>