Re: [incidents] SSH scans...

From: Tim Kennedy (
Date: 12/20/04

  • Next message: Ben Nelson: "Re: SSH scans..."
    Date: Mon, 20 Dec 2004 20:01:05 +0000
    To: Dejan Markovic <>

    Dejan & Incidents users,

    If you're running Linux, there is one easy limit within PAM that you can
    make, to prevent the unauthorized compromise of unused accounts.

    Most linux distro's ship with a PAM module called, in

    You can use this to limit logins, by any number of characteristics, but
    login name is the one I use.

    so, in /etc/pam.d/sshd, in place of:
    account required service=system-auth

    I add a line like:
    account sufficient login = username

    and comment out the system-auth line:
    account sufficient login = gbush
    account sufficient login = tblair
    account sufficient login = jhoward
    #account required service=system-auth

    This limits logins to only the small number of users allowed to SSH in,
    and restricts other users, even if they have valid accounts. For
    instance, perhaps a mail-only users, or something.


    Tim Kennedy			||      There are 10 types of people on Earth.	||      Those who understand binary,		||	and those who don't.

  • Next message: Ben Nelson: "Re: SSH scans..."