14
7
Every weekday, I log into my VPS (Linux) at about the same time (between 8am and 9am) using PuTTY.
Is there a way to prevent or automatically fail all other login attempts at other times?
Hoytman
Posted 2014-07-01T14:09:06.060
Reputation: 305
Is there a way to only allow a login to happen only at a specific time?
Answers
21
See this manpage for time.conf
user1 ; * ; Wd0000-2400 | Wk1800-0800
would allow the user user1 evenings on weekdays (wk), and all days on weekends (wd), and deny them the rest of the time.
yours would be something like
* ; * ; Al0800-0900
Frank Thomas
Posted 2014-07-01T14:09:06.060
Reputation: 29 039
Is the Wk1800-0800 rule correct in your example? If yes - does it mean the same as Wk0000-0800|Wk1800-2400 or Mo1800-2400|WkMo0000-0800|WkMo1800-2400|Sa0000-0800? – burtek – 2014-12-24T17:08:09.360
yes, that rule came straight from the manpages, so I'm pretty confident its right. yes it should be equivalent to your compound expression. As for your larger rule, are you trying to say: On monday from 6p-12a, Every weekday except monday 12a-8a, Every weekday except monday from 6p-12a, and saturdays from 12a-8p? The ruleset doesn't make entirely logical sense (why allow monday, and then not allow monday for the same time period). Note, be sure to use spaces around your pipes and semi's. bash can be particular about that. – Frank Thomas – 2014-12-25T01:44:44.093
Seems that you also have to edit the files in /etc/pam.d/. See the answer on https://ask.fedoraproject.org/en/question/7260/how-to-configure-user-restriction-with-pam-a-kind-of-parental-control/?answer=104977#post-id-104977
2most people online recommend writing a pair of cron jobs that manipulate IPTables, so that your SSH port is only open between those hours. – Frank Thomas – 2014-07-01T14:13:39.740
Interesting. Could you tell me more about that? – Hoytman – 2014-07-01T14:16:47.427
heres a good howto on IPTAbles: https://help.ubuntu.com/community/IptablesHowTo In Crontab, you would create rules that ran a command to allow tcp\22, and another that blocks it. https://help.ubuntu.com/community/CronHowto
– Frank Thomas – 2014-07-01T16:42:58.9404bear in mind that if something happens, you won't be able to access it at a different time – Bartlomiej Lewandowski – 2014-07-01T21:17:14.103
1Unless you have a specific reason for needing to restrict logins to times, this is a bad idea. A secure password will be plenty if all you're trying to do is secure your machine. A linux exploit will (most likely) bypass the login entirely, which makes this useless. Meanwhile, you will be restricting yourself to specific times. – Jon – 2014-07-02T04:35:49.173
2better use fail2ban – user84207 – 2014-07-02T07:03:05.700
@user84207 may be the same issue. If he locks himself out by this he won't be able to access the box anymore. – Samuel – 2014-07-02T07:10:27.753
Assuming that he errs his own password the default 6 times required for a ban, he'd still be able to access the box from another IP and unban himself. Or to access it directly. But, why would he err 6 times on his own password? That's the whole point of fail2ban. – user84207 – 2014-07-02T07:21:37.763
1I agree, fail2ban is essential for public facing SSH. it won't protect against some of the very slow botnet-driven distributed brute-force attacks, but for that kind of adversary, there’s little to be done on the services layer anyway. – Frank Thomas – 2014-07-02T11:35:47.433