2

Is there a way to limit the number of su attempts from a user?

For example, malicious user gets into a user login that has su access. Repeatedly runs su to try to gain superuser access.

This example would be a rare occurrence but it still seems like a good idea to add protection from.

Attempting Faillock:

I added the following lines to /etc/pam.d/su to test it:

auth        required       pam_faillock.so preauth silent audit deny=1 unlock_time=120
auth        sufficient     pam_unix.so nullok try_first_pass
auth        [default=die]  pam_faillock.so authfail audit deny=1 unlock_time=120
account     required       pam_faillock.so

However, it doesn't lock anyone out. I was monitoring via faillock and I saw:

# faillock
user:
When                Type  Source                                           Valid
root:
When                Type  Source                                           Valid
2015-01-30 20:55:05 TTY   pts/1                                                V
2015-01-30 20:55:20 TTY   pts/1                                                V

However, this entry is under root (so would it lock down the root user for everyone?) and this entry has no effect on su.

030
  • 5,731
  • 12
  • 61
  • 107
Devon
  • 780
  • 1
  • 9
  • 20
  • Which OS do you use? – 030 Jan 30 '15 at 19:18
  • @utrecht CentOS6/RHEL6 primarily right now. – Devon Jan 30 '15 at 19:41
  • [Faillock](http://serverfault.com/questions/594025/account-lockout-with-pam-faillock-in-rhel6) is the preferred PAM module for limiting authentication attempts under [EL6](https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-Security_Guide-Securing_Your_Network.html#sect-Security_Guide-Workstation_Security-Administrative_Controls) and [EL7](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/chap-Hardening_Your_System_with_Tools_and_Services.html#sec-Locking_User_Accounts_After_Failed_Login_Attempts). – Aaron Copley Jan 30 '15 at 20:47
  • Also, configuring as described will effect `su` due to the include statement in `/etc/pam.d/su`. You will also lock against SSH and console attempts, etc. If you want to ONLY effect `su`, make the changes in this file *prior* to the include. – Aaron Copley Jan 30 '15 at 20:49
  • @AaronCopley, thanks for pointing me to faillock, but it doesn't work as expected. Maybe I'm doing something wrong. I updated my question with more info about it. – Devon Jan 31 '15 at 01:49
  • Sorry, I didn't have long to mess with it, but I didn't get it to work in `/etc/pam.d/su` on the first go. That pam_unix.so line is part of your problem, though. That line is for the `system-auth` file. They are showing where to insert the two faillock lines on either side of it. You won't need that line in `/etc/pam.d/su`. I'll have to try again later. – Aaron Copley Jan 31 '15 at 23:14

1 Answers1

2

A little Googling results in a link to this documentation:

Task: Set Maximum Number of Login Failures

    The -m option is allows you to set maximum number of login failures after 
    the account is disabled to specific number called MAX. Selecting MAX value 
    of 0 has the effect of not placing a limit on the number of failed logins.
    The maximum failure count should always be 0 for root to prevent a denial of
    services attack against the system:
    # faillog -M MAX -u username
    # faillog -M 10 -u vivek

and this documentation:

faillog    
faillog -u <user> -r
faillog -u oracle -m 0
/var/log/faillog
faillog -u <user> -m -1

However executing faillog on CentOS7. According to this Q&A pam_tally2 replaces the faillog command.

deny=n
    Deny access if tally for this user exceeds n.
Community
  • 1
030
  • 5,731
  • 12
  • 61
  • 107
  • 1
    I would assume, since it is su, that would not be useful since it would need to be set on the root user and therefore would disable access to the whole root user rather than just disabling the user attempting to su. – Devon Jan 30 '15 at 18:48
  • 1
    @AaronCopley In my opinion, the comments regarding `faillock` are not comments to this answer but should be posted in a new answer to this question. – 030 Jan 30 '15 at 20:43
  • Sorry, I thought I was posting as a comment to the question - not your answer! I was directing him to another question and answer as it's a duplicate. – Aaron Copley Jan 30 '15 at 20:44