How to limit SSH remote sessions and session time timeouts in Linux

In a Linux environment, if you need to restrict users from entering the wrong password several times, lock his account so that it cannot log in.
Like controlling the robustness of passwords, we need to call the PAM module to complete the task.
This module is called: pam_tally2.so
This module can be understood as an attempt to log on the counter, and can be counted as a voucher, refused to reach the count you set the number of users login. This counter can be reset manually.
As with cracklib.so, we need to insert the module for both/etc/pam.d/system-auth and/etc/pam.d/password-auth to achieve the same effect for various login scenarios

1. Session Settings

(1) The number of times the login is prompted and ends the session automatically: very important, in Linux, as follows:
# Cat/etc/ssh/sshd_config | grep Maxauth
Maxauthtries 1//remote user logon 2 times through SSH connection failed to automatically end the session
The server has a disconnected with an error. Server message reads:
A protocol error occurred. Too Many authentication failures for root

(2) root can only be accessed from Tty1 and VC. It is recommended to only allow root to log on from a TTY or VC, and if more devices are required to log on, use the SU command to convert to root.
OpenSSH should prohibit the use of protocol 1, no root direct login
/etc/ssh/sshd_config
Protocol 2
Maxauthtries 1
Permitrootlogin no//does not allow the root user to log on with SSH
Strictmodes Yes
Permitemptypasswords no//Do not allow login with a blank password
Printlastlog Yes

Root does not log on, when other users log on, add a password, and when the user is specific how to:
Useradd Jackxiang
Forget the password, you have to have root to modify it:
[Email protected]:/root# su Root
Password:
[Email protected]:~# passwd Jackxiang
Change the password for the user Jackxiang.
New Password:
Service sshd Restart

Prohibit some users from using SSH telnet: http://www.myhack58.com/Article/48/66/2011/30887.htm

Vim/etc/pam.d/sshd
In the first line, add auth required pam_listfile.so item=user sense=deny file=/etc/sshdusers onerr=succeed, note that you must be in the first line, because the order of execution in Pam It's top priority.

Vim/etc/sshdusers

Add root WP to a file, root and WP are two Local users

Service sshd Restart

In another terminal test

[[email protected] ~]# ssh clone1.rhel.com
[email protected] ' s password:
Permission denied, please try again.
[email protected] ' s password:
Permission denied, please try again.
[email protected] ' s password:
Permission denied (Publickey,gssapi-with-mic,password).

[[email protected] ~]$ ssh clone1.rhel.com
[email protected] ' s password:
Permission denied, please try again.
[email protected] ' s password:
Permission denied, please try again.
[email protected] ' s password:
Permission denied (Publickey,gssapi-with-mic,password).
SSH is not available for two users. Oh, the purpose of achieving




(3) [Email protected]:~# cat/etc/login.defs | grep PASS | Grep-v ^#
Pass_max_days 99999
Pass_min_days 0
Pass_min_len 5
Pass_warn_age 7

Pass_max_days 90//Password Max use date 90 days
Pass_min_days 0//If set to 2, the password can be changed after 2 days, that is, the minimum number of days to keep the password
Pass_min_len 8//password Minimum length 8 bit
Pass_warn_age 7//7 days before password expiration warning

(4)
Umask is at least 027, preferably 077.
[[email protected] ~]# grep UMASK/ETC/BASHRC
Umask 077
Umask 077
[Email protected] ~]#. /etc/bashrc
[Email protected] ~]# umask
0077
[[email protected] ~]# Touch 3.txt
[email protected] ~]# ll 3.txt
-RW-------1 root root 0 Apr 8 00:11 3.txt

(5)
Check to see if the system is minimized, starting at a running level of 3

See if/ETC/PAM.D/SU contains the following two lines
Auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth Sufficient pam_wheel.so Trust Use_uid
# Uncomment the following line to require a user to being in the "wheel" group.
Auth Required pam_wheel.so Use_uid//The comments above have been made clear, without commenting the following line, then SU to other users must be in the wheel group


(6) Turn off the Telnet service, redhat the default is to turn off the Telnet service
[Email protected] ssh]# NETSTAT-TNLP | Grep:23
[Email protected] ssh]# cd/etc/xinetd.d/
[[email protected] xinetd.d]# ls telnet*
ls:telnet*: No file or directory
If there is a Telnet service, change the Telnet file in this directory to Disable=yes
[Email protected] xinetd.d]# Tail-n 2/etc/xinetd.d/krb5-telnet | Head-n 1
Disable = yes
[Email protected] xinetd.d]# service xinetd restart
Stop xinetd: [OK]
Start xinetd: [OK]

=============================================================
The above is what I summed up from url:http://lhf0616.blog.51cto.com/2920914/538453, I pasted the original text:
[[Email protected] Desktop]# awk-f: ' ($2== "") {print '} '/etc/shadow//Check empty password account
Zhang3
[Email protected] Desktop]# tail-n 1/etc/shadow | Head-n 1//-f: is a colon as a delimiter, ($2== "" means that the 1th and 2nd colons are empty, that is, the empty password account, {print} prints out the user name
Zhang3::15071:0:99999:7:::
Check your account
[[Email protected] Desktop]# PWCK
User adm: Directory/var/adm does not exist
User news: Directory/etc/news does not exist
User uucp: Directory/VAR/SPOOL/UUCP does not exist
User gopher: Directory/var/gopher does not exist
User pcap: Directory/var/arpwatch does not exist
User avahi-autoipd: Directory/VAR/LIB/AVAHI-AUTOIPD does not exist
User oprofile: Directory/home/oprofile does not exist
PWCK: No change


Password complexity and login failure policy
Logon failure processing should be enabled to take end sessions, limit illegal logons and automatic exit measures, passwords should be complex and regularly replaced
Requires mandatory remembering of 3 password histories
The password contains at least 1 digits, letters and other special characters (such as: #,@,! , $, etc.);
5 Remote Login Failures Auto End session
[Email protected] Desktop]# cat/etc/login.defs | grep PASS | Grep-v ^#
Pass_max_days 90//Password Max use date 90 days
Pass_min_days 0//If set to 2, the password can be changed after 2 days, that is, the minimum number of days to keep the password
Pass_min_len 8//password Minimum length 8 bit
Pass_warn_age 7//7 days before password expiration warning

[Email protected] pam.d]# Cat/etc/pam.d/system-auth | Tail-n 2 && grep ^ #password/etc/pam.d/system-auth
Password Required pam_cracklib.so difok=3 minlen=8 dcredit=-1,lcredit=-1 ocredit=-1 maxrepeat=3
Password Required pam_unix.so Use_authtok Nullok MD5
#password requisite pam_cracklib.so try_first_pass retry=3//Comment The password cannot be modified after this line
[Email protected] pam.d]# passwd
Changing password for user root.
Passwd:authentication information cannot be recovered

Modify the Login failure policy
[Email protected] ssh]# Cat/etc/ssh/sshd_config | grep Maxauth
Maxauthtries 1//remote user logon 2 times through SSH connection failed to automatically end the session
[[email protected] ssh]# ssh 192.168.0.90
[email protected] ' s password:
Permission denied, please try again.
[email protected] ' s password:
Received Disconnect from 192.168.0.90:2: Too Many authentication failures for root

Turn off the Telnet service, redhat the default is to turn off the Telnet service
[Email protected] ssh]# NETSTAT-TNLP | Grep:23
[Email protected] ssh]# cd/etc/xinetd.d/
[[email protected] xinetd.d]# ls telnet*
ls:telnet*: No file or directory
If there is a Telnet service, change the Telnet file in this directory to Disable=yes

[Email protected] xinetd.d]# Tail-n 2/etc/xinetd.d/krb5-telnet | Head-n 1
Disable = yes
[Email protected] xinetd.d]# service xinetd restart
Stop xinetd: [OK]
Start xinetd: [OK]
[Email protected] xinetd.d]# chkconfig xinetd on

OpenSSH should prohibit the use of protocol 1, no root direct login
/etc/ssh/sshd_config
Protocol 2
Maxauthtries 1
Permitrootlogin no//does not allow the root user to log on with SSH
Strictmodes Yes
Permitemptypasswords no//Do not allow login with a blank password
Printlastlog Yes

[Email protected] init.d]# pwd
/etc/rc.d/init.d
[[email protected] init.d]# chmod-r 750./can also be directly chmod-r/etc/init.d/*
[email protected] init.d]# LL | Head-n 2
Total 644
-rwxr-x---1 root root 1566 June 8 Acpid

Umask is at least 027, preferably 077.
[[email protected] ~]# grep UMASK/ETC/BASHRC
Umask 077
Umask 077
[Email protected] ~]#. /etc/bashrc
[Email protected] ~]# umask
0077
[[email protected] ~]# Touch 3.txt
[email protected] ~]# ll 3.txt
-RW-------1 root root 0 Apr 8 00:11 3.txt

Check to see if the system is minimized, starting at a running level of 3

See if/ETC/PAM.D/SU contains the following two lines
Auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth Sufficient pam_wheel.so Trust Use_uid
# Uncomment the following line to require a user to being in the "wheel" group.
Auth Required pam_wheel.so Use_uid//The comments above have been made clear, without commenting the following line, then SU to other users must be in the wheel group
[Email protected] pam.d]# gpasswd-a Oracle Wheel
Adding user Oracle to Group wheel
[[email protected] pam.d]# ID Oracle
uid=500 (Oracle) gid=500 (Oracle) groups=500 (Oracle), 0 (Root), ten (wheel) context=system_u:system_r:unconfined_t
[[email protected] pam.d]# ID zhang3
uid=501 (ZHANG3) gid=501 (zhang3) groups=501 (zhang3) context=system_u:system_r:unconfined_t
[Email protected] pam.d]# Su-zhang3
[[email protected] ~]$ Su-root//The following password input is correct
Password:
Su:incorrect Password
[Email protected] ~]$ su-oracle
Password:
Su:incorrect Password
[Email protected] ~]$ su-oracle
Password:
Su:incorrect Password
[Email protected] ~]$ su-oracle
Password:
Su:incorrect Password
[Email protected] ~]$
[Email protected] ~]$ su-oracle
Password:
[Email protected] ~]$ Su-root
Password:
[Email protected] ~]#

2 Operation Guide

2.1. Local Login user Reference configuration action
#cd/ETC/PROFILE.D
Perform
#vi autologout.sh
Add the following content:
tmout=600
ReadOnly Tmout
Export Tmout
Save exit, the system will automatically log out after 10 minutes of inactivity.

2.2. Telnet User Reference Configuration action
#vi/etc/ssh/sshd_config
Set the following content to:
Clientaliveinterval 600
Clientalivecountmax 0
This means that after 10 minutes of inactivity, the session is automatically logged out and ended.
Detection Method 1, the determination condition
Check if the account timeout is automatically logged out;
2. Detection operation
Cat/etc/ssh/sshd_config
Check two of these parameter settings:
Clientaliveinterval 600
Clientalivecountmax 0

(2) Execution: awk-f: ' ($ = = 0) {print $} '/etc/passwd
The return value includes entries other than "root", stating that there are other super users below the security requirements.
2. Detection operation
Execution: Awk-f: ' ($ = = 0) {print $} '/etc/passwd
The return value includes entries other than "root", stating that there are other super users;

The/etc/securetty file sets the root login TTY and VC (Virtual Console) devices. The/etc/securetty file is read by the login program (usually/bin/login). It is formatted to allow the list of TTY and VCs, commented out or not appearing on the device and does not allow root login.

How to limit SSH remote sessions and session time timeouts in Linux