Without pam_tally protection, remote attackers will attempt thousands of different passwords, and may eventually guess the right password:
Aug 1 04:05:54 server sshd[744]: Failed password for root from 192.0.2.9↵
port 29198 ssh2
…
The pam_tally code for Pluggable Authentication Modules (PAM) slows brute force attacks by locking accounts after the number of failed logins exceeds a defined threshold. Assuming hourly resets on locked accounts, attackers will only be able to attempt a handful of passwords each hour.
Authentication mechanisms that bypasses the PAM stack will not benefit from pam_tally protection. Examples include mod_auth_kerb (Kerberos authentication for Apache).
Use defense in depth. Additional measures to prevent automated brute force attacks include:
- Configuration: disable password logins for root and other special user accounts; switch to public key authentication for OpenSSH, unless Kerberos or OpenAFS are involved:
- Firewalls: restrict or limit access to services via Virtual Private Network (VPN) and firewall rules.
- Log Analysis: automate log analysis and firewall reconfiguration to lock out attacking systems.
- Port Knocking: use port knocking to open otherwise blocked services.
# OpenSSH configuration - see sshd_config(5) for details
Protocol 2
LogLevel VERBOSE
PermitRootLogin without-password
RedHat Linux
RedHat and Fedora releases ship with pam_tally in the pam package. Adding pam_tally support to the PAM configuration files requires testing to ensure screen saver logins are still allowed.
$ rpm -ql pam | grep tally
/lib/security/pam_tally.so
/sbin/pam_tally
/usr/share/doc/pam-0.75/txts/README.pam_tally
The following configurations enable pam_tally by default in the global system-auth configuration file. This requires additional configuration for various screensavers that are incompatible with pam_tally. Another option would be to only enable pam_tally support for sshd and other applications that might be brute forced, such as file transfer or mail services.
- system-auth - example /etc/pam.d/system-auth configuration with pam_tally support. Enables pam_tally by default.
- xscreensaver - example /etc/pam.d/xscreensaver configuration without pam_tally support, as xscreensaver does not work with pam_tally.
pam_tally on RedHat needs the /var/log/faillog file to exist; a setup script or CFEngine should be used to ensure this file exists.
files:
redhat::
/var/log/faillog mode=0600 owner=root group=root action=create
Failed login record tallies should be reset periodically. Setup an hourly cron job to run the reset_failed_logins script. If running CFEngine, also have CFEngine reset the logins, in the event crond has failed, as shown below.
shellcommands:
redhat::
"/usr/sbin/reset_failed_logins" ifelapsed=359
redhat.sys_startup::
"/usr/sbin/reset_failed_logins"
The tally should also be reset at system startup time, as users may reboot their desktop system if unable to login. By default, a restart does not clear the failure log file!
Allowing multiple authentication methods may increase the failed login accounts, especially where there is no local pam_unix password for the user, when also authenticating with pam_krb5afs. In this case, increase the deny option to pam_tally to account for the false failed logins.
…
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/pam_krb5afs.so try_first_pass ignore_root↵
use_authtok
…
Mac OS X
As of 10.4.2 (Tiger), Mac OS X does not ship with pam_tally. The pam_tally code is part of the Linux-PAM project, and may be difficult to port. If installed, the module should exist under /usr/lib/pam:
$ ls /usr/lib/pam
pam_afpmount.so pam_permit.so pam_unix.so
pam_deny.so pam_rootok.so pam_uwtmp.so
pam_netinfo.so pam_securetty.so pam_wheel.so
pam_nologin.so pam_securityserver.so
