pam_tally configuration tips

RedHat Linux | Mac OS X

Without pam_tally protection, remote attackers will attempt thousands of different passwords, and may eventually guess the right password:

Aug 1 04:05:54 server sshd[744]: Failed password for root from 192.0.2.9?
port 29198 ssh2
?

The pam_tally code for Pluggable Authentication Modules (PAM) slows brute force attacks by locking accounts after the number of failed logins exceeds a defined threshold. Assuming hourly resets on locked accounts, attackers will only be able to attempt a handful of passwords each hour.

Authentication mechanisms that bypasses the PAM stack will not benefit from pam_tally protection. Examples include mod_auth_kerb (Kerberos authentication for Apache).

Use defense in depth. Additional measures to prevent automated brute force attacks include:

RedHat Linux

RedHat and Fedora releases ship with pam_tally in the pam package. Adding pam_tally support to the PAM configuration files requires testing to ensure screen saver logins are still allowed.

$ rpm -ql pam | grep tally
/lib/security/pam_tally.so
/sbin/pam_tally
/usr/share/doc/pam-0.75/txts/README.pam_tally

The following configurations enable pam_tally by default in the global system-auth configuration file. This requires additional configuration for various screensavers that are incompatible with pam_tally. Another option would be to only enable pam_tally support for sshd and other applications that might be brute forced, such as file transfer or mail services.

pam_tally on RedHat needs the /var/log/faillog file to exist; a setup script or CFEngine should be used to ensure this file exists.

files:
redhat::
/var/log/faillog mode=0600 owner=root group=root action=create

Failed login record tallies should be reset periodically. Setup an hourly cron job to run the reset_failed_logins script. If running CFEngine, also have CFEngine reset the logins, in the event crond has failed, as shown below.

shellcommands:
redhat::
"/usr/sbin/reset_failed_logins" ifelapsed=359

redhat.sys_startup::
"/usr/sbin/reset_failed_logins"

The tally should also be reset at system startup time, as users may reboot their desktop system if unable to login. By default, a restart does not clear the failure log file!

Allowing multiple authentication methods may increase the failed login accounts, especially where there is no local pam_unix password for the user, when also authenticating with pam_krb5afs. In this case, increase the deny option to pam_tally to account for the false failed logins.

?
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/pam_krb5afs.so try_first_pass ignore_root?
use_authtok
?

Mac OS X

As of 10.4.2 (Tiger), Mac OS X does not ship with pam_tally. The pam_tally code is part of the Linux-PAM project, and may be difficult to port. If installed, the module should exist under /usr/lib/pam:

$ ls /usr/lib/pam
pam_afpmount.so pam_permit.so pam_unix.so
pam_deny.so pam_rootok.so pam_uwtmp.so
pam_netinfo.so pam_securetty.so pam_wheel.so
pam_nologin.so pam_securityserver.so