[Dshield] SSH Bots

Richard H. Fifarek richard.fifarek at noaa.gov
Tue Mar 7 14:04:33 GMT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jon R. Kibler wrote:
> I don't see any modules to this in default FC/4
> or Solaris 9/10 distros. Anyone know if this can be done and/or how to do it?

	The module that we use is pam_tally on RedHat/FC machines, part of the
pam rpm:

#> rpm -ql pam|grep tally
/lib/security/pam_tally.so
/sbin/pam_tally
/usr/share/doc/pam-0.77/txts/README.pam_tally

	Add/replace lines similar to following to the beginning of /etc/pam.d/sshd:

auth       required     pam_tally.so no_magic_root
account    required     pam_tally.so deny=5 no_magic_root

	- no_magic_root exempts the root account from being locked, however
still maintains a count of failed logins.  root shouldn't be allowed in
via ssh anyhow.
	- deny=5 sets the failed logins to 5 before the account is locked.

	/sbin/pam_tally is the command line tool used to list locked accounts,
unlock locked accounts, etc.

	We've never tried this on Solaris, but I imagine it could be made to
work.  As other folks have mentioned, if you can, shared keys are a
better way to go.

- --
Richard Fifarek <richard.fifarek at noaa.gov>
Physical Sciences Division
NOAA/OAR/Earth System Research Laboratory
303.497.4338
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFEDZLxi9PhjPC/PqMRAiBwAJ9LR7TdTFrfsWp3CPXOnywR5iFbZACdFQ6A
Dzk55IpSaboT/pLGai+dfaM=
=Nqy/
-----END PGP SIGNATURE-----


More information about the list mailing list