Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [incidents] SSH scans...

From: Tim Kennedy <tim () timkennedy net>
Date: Mon, 20 Dec 2004 20:01:05 +0000

Dejan & Incidents users,

If you're running Linux, there is one easy limit within PAM that you can
make, to prevent the unauthorized compromise of unused accounts.

Most linux distro's ship with a PAM module called pam_succeed_if.so, in 
/usr/lib/security.

You can use this to limit logins, by any number of characteristics, but
login name is the one I use.

so, in /etc/pam.d/sshd, in place of:
account         required        pam.stack.so service=system-auth

I add a line like:
account         sufficient      pam_succeed_if.so login = username


and comment out the system-auth line:
account         sufficient      pam_succeed_if.so login = gbush
account         sufficient      pam_succeed_if.so login = tblair
account         sufficient      pam_succeed_if.so login = jhoward
#account        required        pam.stack.so service=system-auth

This limits logins to only the small number of users allowed to SSH in, 
and restricts other users, even if they have valid accounts.  For
instance, perhaps a mail-only users, or something. 

-Tim

-- 
Tim Kennedy                     ||      There are 10 types of people on Earth.
http://public.xdi.org/=tck      ||      Those who understand binary,
tim () timkennedy net           ||      and those who don't.
Previous By Date Next
Previous By Thread Next

Current thread: