Linux – SSH Lockout after failed login attempts

linuxpamsshUbuntu

I have an Ubuntu Server for my git repositories and other stuff. Sometimes someone trying to hack it (I think it's ok for servers) and after few failed login attempts SSH is locking out. I mean no one can do anything via SSH for 5 minutes or so. For example – "git pull" ends with "Connection timed out".

Since I'm not a Linux guy I can't figure out where I can change lockout time. I found this in the /etc/pam.d/login

auth optional pam_faildelay.so delay=3000000
But this only 3 seconds delay after single failed attempt.

I didn't find any mentions of "tally" in /etc/pam.d. What else could it be?

Best Answer

@Orphans helped me with this hint:

/etc/fail2ban/jail.conf and add the IP you want "whitelisted" under "ignoreip"

Related Solutions

Ssh – How to automate SSH login with password

Don't use a password. Generate a passphrase-less SSH key and push it to your VM.

If you already have an SSH key, you can skip this step… Just hit Enter for the key and both passphrases:

$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.

Copy your keys to the target server:

$ ssh-copy-id id@server
id@server's password:

Now try logging into the machine, with ssh 'id@server', and check-in:

.ssh/authorized_keys

Note: If you don't have .ssh dir and authorized_keys file, you need to create it first

to make sure we haven’t added extra keys that you weren’t expecting.

Finally, check to log in…

$ ssh id@server

id@server:~$

You may also want to look into using ssh-agent if you want to try keeping your keys protected with a passphrase.

Account Lockout with Pam_Tally2 in RHEL6 – How to Configure

You also need ChallengeResponseAuthentication yes in /etc/ssh/sshd_config.

To display the error, pam needs a conversation function.

This option tells ssh to provide a more complete PAM conversation function, which covers amongst other things providing output and asking for arbitrary input (instead of just being handed over a password by sshd).

Edit: You'll want PasswordAuthentication no to make sure the password input always goes through this PAM conversation.

Best Answer

Related Solutions

Ssh – How to automate SSH login with password

Account Lockout with Pam_Tally2 in RHEL6 – How to Configure

Related Topic