Chris Tyler - Fedora Linux

tty

Terminal device names (not useful in this context, so we'll use * to match all terminals).

users

A list of usernames, combined using ! (not), & (and), or | (or).

times

A list of days (any combination of Su , Mo , Tu , We , Th , Fr , or Sa or Wk for weekdays, Wd for weekends, or Al for all days) concatenated to a range of times, expressed in 24-hour format (such as 0600-1800 for 6 a.m. to 6 p.m., local time).

The default /etc/security/time.conf contains extensive notes on the line format.

To prevent all users other than root from connecting via SSH during evenings and weekends, place these lines in /etc/security/time.conf :

# Limit ssh for non-root users to 8 am to 5 pm on weekdays

sshd;*;!root;Wk0800-1700

Note that if there is no line in /etc/security/time.conf that applies to a particular connection, it is permitted by default. These restrictions also apply only when a user logs in; once logged in, the user may stay connected for as long as he chooses.

To place a time restriction on all types of loginwhether through SSH, a local character-mode virtual terminal, or the GUIplace the entry for the pam_time.so module in /etc/pam.d/system-auth instead of /etc/pam.d/sshd :

#%PAM-1.0

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

auth required pam_env.so

auth sufficient pam_unix.so nullok try_first_pass

auth requisite pam_succeed_if.so uid >= 500 quiet

auth required pam_deny.so

account required pam_time.so

account required pam_unix.so

account sufficient pam_succeed_if.so uid < 500 quiet

account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3

password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok

password required pam_deny.so

session required pam_limits.so

session required pam_unix.so

You can then create separate rules for each type of user access in /etc/security/time.conf :

# Character-mode login - Only root is permitted (any time).

login;*;!root;!Al0000-2400

# Remote login via ssh - Root is always permitted, other

# users are permitted 8 am to 5 pm on weekdays.

sshd;*;!root;Wk0800-1700

# Graphical-mode login - Not available to root.

gdm;*;root;!Al0000-2400

# Switching user via 'su' command - not permitted unless

# switching -to- the root user. Note that the root user

# can switch to any other user because of the pam_rootok.so

# module line in /etc/pam.d/su

su;*;!root;!Al0000-2400

The PAM module pam_abl.so from Fedora Extras provides the ability to blacklist (block access from) users and hosts that repeatedly send an incorrect password. This is useful in guarding against brute-force password attacks, where a remote system will simply try to log in over and over again with different password guesses until it is successful.

This module will not work successfully with gdm (graphical logins), so it must not be added to system-auth . To protect SSH logins (the best use of this module), add an entry for pam_abl.so module to /etc/pam.d/sshd :

#%PAM-1.0

auth required pam_abl.so config=/etc/security/pam_abl.conf

auth include system-auth

account include system-auth

password include system-auth

session include system-auth

session required pam_loginuid.so

The file /etc/security/pam_abl.conf is installed by the pam_abl RPM and contains this configuration:

# /etc/security/pam_abl.conf

# debug

host_db=/var/lib/abl/hosts.db

host_purge=2d

host_rule=*:10/1h,30/1d

user_db=/var/lib/abl/users.db

user_purge=2d

user_rule=!root:10/1h,30/1d

The host_rule line controls which hosts may be blacklisted and the number of failed login attempts that must be registered before blacklisting; the default configuration specifies that any host ( * ) may be blacklisted for more than 10 login failures in one hour ( 10/1h ), or more than 30 login failures in one day ( 30/1d ). The user_rule line similarly blacklists any user except root ( !root ) who has 10 failed login attempts in one hour or 30 failed login attempts in one day.

The host_purge and user_purge lines configure how quickly a blacklist entry is revoked; the default for both is two days.

When a login failure is recorded, the pam_abl.so module updates its database. You can query the database using the pam_abl command:

# pam_abl

Failed users:

Failed hosts:

Initially, no failed login attempts are recorded. As login failures occur, pam_abl will count and report them (in parenthesis):

# pam_abl

Failed users:

jane (1)

Not blocking

Failed hosts:

darkday (1)

Not blocking

Eventually, access from the host or user will be blocked:

# pam_abl

Failed users:

jane (11)

Blocking users [!root]

Failed hosts:

darkday (11)

Blocking users [*]

To re-enable access from a specific host or by a specific user, use the --okhost or --okuser arguments to pam_abl :

# pam_abl --okhost darkday

# pam_abl

Failed users:

jane (11)

Blocking users [!root]

Failed hosts:

Fedora uses the consolehelper program to control access to a number of system administration tools. It's consolehelper that asks you for the root password when you use many of the configuration menu options such as System→Administration→Network (or, equivalently, run system-config-network from the shell).

If you examine the system-config-network file, you'll see that it is actually a symbolic link to consolehelper :

$ type system-config-network

system-config-network is /usr/bin/system-config-network

$ ls -l /usr/bin/system-config-network

lrwxrwxrwx 1 root root 13 Mar 20 14:57 /usr/bin/system-config-network -> consolehelper

When consolehelper is invoked with another command name, it uses the PAM configuration in /etc/pam.d with the same name as the command entered. If the user runs system-config-network , then the PAM configuration /etc/pam.d/system-config-network is invoked, which looks like this:

#%PAM-1.0

auth include config-util