Without pam_tally protection, remote attackers will attempt thousands of different passwords, and may eventually guess the right password:
Aug 1 04:05:54 server sshd: Failed password for root from 192.0.2.9↵
port 29198 ssh2
The pam_tally code for Pluggable Authentication Modules (PAM) slows brute force attacks by locking accounts after the number of failed logins exceeds a defined threshold. Assuming hourly resets on locked accounts, attackers will only be able to attempt a handful of passwords each hour.
Authentication mechanisms that bypasses the PAM stack will not benefit from pam_tally protection. Examples include mod_auth_kerb (Kerberos authentication for Apache).
Use defense in depth. Additional measures to prevent automated brute force attacks include:
- Configuration: disable password logins for root and other special user accounts; switch to public key authentication for OpenSSH, unless Kerberos or OpenAFS are involved:
- Firewalls: restrict or limit access to services via Virtual Private Network (VPN) and firewall rules.
- Log Analysis: automate log analysis and firewall reconfiguration to lock out attacking systems.
- Port Knocking: use port knocking to open otherwise blocked services.
# OpenSSH configuration - see sshd_config(5) for details
RedHat and Fedora releases ship with pam_tally in the pam package. Adding pam_tally support to the PAM configuration files requires testing to ensure screen saver logins are still allowed.
$ rpm -ql pam | grep tally
The following configurations enable pam_tally by default in the global system-auth configuration file. This requires additional configuration for various screensavers that are incompatible with pam_tally. Another option would be to only enable pam_tally support for sshd and other applications that might be brute forced, such as file transfer or mail services.
- system-auth - example /etc/pam.d/system-auth configuration with pam_tally support. Enables pam_tally by default.
- xscreensaver - example /etc/pam.d/xscreensaver configuration without pam_tally support, as xscreensaver does not work with pam_tally.
pam_tally on RedHat needs the /var/log/faillog file to exist; a setup script or CFEngine should be used to ensure this file exists.
/var/log/faillog mode=0600 owner=root group=root action=create
Failed login record tallies should be reset periodically. Setup an hourly cron job to run the reset_failed_logins script. If running CFEngine, also have CFEngine reset the logins, in the event crond has failed, as shown below.
The tally should also be reset at system startup time, as users may reboot their desktop system if unable to login. By default, a restart does not clear the failure log file!
Allowing multiple authentication methods may increase the failed login accounts, especially where there is no local pam_unix password for the user, when also authenticating with pam_krb5afs. In this case, increase the deny option to pam_tally to account for the false failed logins.
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/pam_krb5afs.so try_first_pass ignore_root↵
As of 10.4.2 (Tiger), Mac OS X does not ship with pam_tally. The pam_tally code is part of the Linux-PAM project, and may be difficult to port. If installed, the module should exist under /usr/lib/pam:
$ ls /usr/lib/pam
pam_afpmount.so pam_permit.so pam_unix.so
pam_deny.so pam_rootok.so pam_uwtmp.so
pam_netinfo.so pam_securetty.so pam_wheel.so