Re: [incidents] SSH scans...
From: Tim Kennedy (tim_at_timkennedy.net)
Date: Mon, 20 Dec 2004 20:01:05 +0000 To: Dejan Markovic <firstname.lastname@example.org>
Dejan & Incidents users,
If you're running Linux, there is one easy limit within PAM that you can
make, to prevent the unauthorized compromise of unused accounts.
Most linux distro's ship with a PAM module called pam_succeed_if.so, in
You can use this to limit logins, by any number of characteristics, but
login name is the one I use.
so, in /etc/pam.d/sshd, in place of:
account required pam.stack.so service=system-auth
I add a line like:
account sufficient pam_succeed_if.so login = username
and comment out the system-auth line:
account sufficient pam_succeed_if.so login = gbush
account sufficient pam_succeed_if.so login = tblair
account sufficient pam_succeed_if.so login = jhoward
#account required pam.stack.so service=system-auth
This limits logins to only the small number of users allowed to SSH in,
and restricts other users, even if they have valid accounts. For
instance, perhaps a mail-only users, or something.
-- Tim Kennedy || There are 10 types of people on Earth. http://public.xdi.org/=tck || Those who understand binary, email@example.com || and those who don't.