Re: [incidents] SSH scans...

From: Tim Kennedy (tim_at_timkennedy.net)
Date: 12/20/04

  • Next message: Ben Nelson: "Re: SSH scans..."
    Date: Mon, 20 Dec 2004 20:01:05 +0000
    To: Dejan Markovic <dejanmarkovic@hotmail.com>
    
    

    Dejan & Incidents users,

    If you're running Linux, there is one easy limit within PAM that you can
    make, to prevent the unauthorized compromise of unused accounts.

    Most linux distro's ship with a PAM module called pam_succeed_if.so, in
    /usr/lib/security.

    You can use this to limit logins, by any number of characteristics, but
    login name is the one I use.

    so, in /etc/pam.d/sshd, in place of:
    account required pam.stack.so service=system-auth

    I add a line like:
    account sufficient pam_succeed_if.so login = username

    and comment out the system-auth line:
    account sufficient pam_succeed_if.so login = gbush
    account sufficient pam_succeed_if.so login = tblair
    account sufficient pam_succeed_if.so login = jhoward
    #account required pam.stack.so service=system-auth

    This limits logins to only the small number of users allowed to SSH in,
    and restricts other users, even if they have valid accounts. For
    instance, perhaps a mail-only users, or something.

    -Tim

    -- 
    Tim Kennedy			||      There are 10 types of people on Earth.
    http://public.xdi.org/=tck	||      Those who understand binary,
    tim@timkennedy.net		||	and those who don't.
    

  • Next message: Ben Nelson: "Re: SSH scans..."

    Relevant Pages