≡ Menu

login attempts

Debian Linux project released the OpenSSH security updates for computers powered by its Debian Linux operating systems. The Openssh package has remote unsafe signal handler DoS Vulnerability. It has been discovered that the signal handler implementing the login timeout in Debian's version of the OpenSSH server uses functions which are not async-signal-safe, leading to a denial of service vulnerability.

Systems affected by this issue suffer from lots of zombie sshd processes. Processes stuck with a "[net]" process title have also been observed. Over time, a sufficient number of processes may accumulate such that further login attempts are impossible. Presence of these processes does not indicate active exploitation of this vulnerability.

Package        : openssh
Vulnerability  : remote
Problem type   : unsafe signal handler
Debian-specific: no
CVE Id(s)      : CVE-2008-4109
Debian Bug     : 498678

How do I fix this problem?

Login as root and type the following commands to update the internal database, followed by corrected packages installation:
# apt-get update
# apt-get upgrade

Under CentOS Linux it is possible to lock out a user login after failed login attempts. This is a security feature. You can also automatically unlock account after some time.

pam_tally - login counter (tallying) module

This module maintains a count of attempted accesses, can reset count on success, can deny access if too many attempts fail.

/etc/pam.d/system-auth

Use /etc/pam.d/system-auth configuration file to configure attempted login accesses and other related activities. Append following AUTH configuration to /etc/pam.d/system-auth file:
auth required pam_tally.so onerr=fail deny=5 unlock_time=21600
Where,
(a)deny=5 - Deny access if tally for this user exceeds 5 times.

(b) unlock_time=21600 - Allow access after 21600 seconds (6 hours) after failed attempt. If this option is used the user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts. Otherwise the account is locked until the lock is removed by a manual intervention of the system administrator.

(c) onerr=fail - If something weird happens (like unable to open the file), return with PAM_SUCESS if onerr=succeed is given, else with the corresponding PAM error code.

Default file /var/log/faillog is used to keep login counts.

The above PAM module is part of all Linux distribution and configuration should work with any Linux distribution.

See also:

  1. man pages faillog, pam.conf, pam.d, pam, and pam_tally
  2. pam_tally - login counter (tallying) module documentation.
  3. CentOS Linux project

Linux How do I display failed login attempt?

/var/log/faillog is a log file for failed login attempts. This file maintains a count of login failures and the limits for each account. The file is fixed length record, indexed by numerical ID. Each record contains the count of login failures since the last successful login; the maximum number of failures before the account is disabled; the line the last login failure occurred on; and the date the last login failure occurred. Since data is in binary format you need to use faillog command to display failed login attempt.

How do I use faillog?

To display failed login attempt for user root with following command:
$ faillog -u root
Output:

Login       Failures Maximum Latest                   On
root            0        0   02/17/06 14:49:52 +0530  tty1

To display all failed login attempt try:
$ faillog -a
Output:

Login       Failures Maximum Latest                   On
root            0        0   02/17/06 14:49:52 +0530  tty1
rocky           0        0   02/27/06 22:05:03 +0530  tty1
usr1            2        0   02/16/06 15:05:01 +0530  tty2

See also: