Security :: OpenLDAP / NSS / PAM Produce Logs Of Failed Login Attempts?
Feb 16, 2011
I am trying to get OpenLDAP to authenticate user logins, but running around in circles. Are there any logs produced by either client and/or server that would indicate possible reasons why it was unable to login as a user?Below is an explanation, any ideas would be appreciated, as I think everything is setup as per the various articles on using LDAP.
I have a CentOS 5.5 OpenLDAP server, and several others, some host services, some are file shares (samba).So far I have been able to successfully configure OpenLDAP to carry out all the ldap* commands from both the local server and from any of the remote servers, either via non-ssl or ssl connections. However, as soon as I try connecting any services up to it, it doesn't play ball.Back to basics, having cleared off all previous attempts at this from all machines, I have gone through the following:
Installed OpenLDAP server/client on host (plus nss_ldap).
Configured /etc/openldap/slapd.conf (see below)
Configured /etc/openldap/ldap.conf (see below)
went through the tutorial on FedoraSolved for securing ssh. I installed denyhosts with yum and then tried to run it with the command line command"sudo /etc/init.d/denyhosts start" but I got the message"Job Failed. See system logs and 'systemctl status' for details [FAILED]"and in the application "services" in the applications menu,t shows an exclamation warning and says that "This unit has failed"
I know this is probably easy and if I only took a while to figure it out maybe I could but I have some stuff that needs to happen soon and I can't figure this out. I was wondering how I could have a log monitor that would email me whenever someone tries to login over ssh to my system. I'm open to everything daemons/scripts or cron itl works as I am not running a production server (but I might be starting that soon). Oh and just a side how do I get sent an email when I get port scanned
I have an SSH server on my laptop, and I'm using the default configuration file, but I added "AllowUsers <myUserName>". I get lots of login attempts like the ones below in my /var/log/auth.log.From Google, I find that pam_winbind allows some kind of Windows authentication. This leaves me with 2 questions. What does winbind do when I have not configured any Windows/Samba accounts? How can I turn it off?
Code: Oct 23 20:01:49 muon sshd: User root from 18.104.22.168 not allowed because not listed in AllowUsers
I am running a ubuntu server 10.10 with SSH, and OpenVPN. I use it mainly for the VPN, but I have seen log in attempts such as:
Mar 22 14:52:53 UbuntuSvr sshd: Invalid user support from 22.214.171.124 Mar 22 14:52:55 UbuntuSvr sshd: Invalid user student from 126.96.36.199 Mar 22 14:52:57 UbuntuSvr sshd: Invalid user transfer from 188.8.131.52 Mar 22 14:52:59 UbuntuSvr sshd: Invalid user user from 184.108.40.206
Is it possible to make it so when some one has tried logging in 5 times with an invalid user/pass that the ip is banned for 10 minutes? I have password auth set to no and am using keys.
Does anyone know a method for setting the timeout period for failed logins on Linux RHEL5.x systems? Linux docs say to set the failed login delay paramter in /etc/login.defs to the desired seconds. I did this, but the settings have no effect, ie weather set to 2,4,10, etc, the actuall failed login timeout period(which I verified with a stopwatch), never changes.
I have tried and tried to get Ubuntu up and running again after a fatal crash. Unknown reason. I have burned several copies of Karmic and Jaunty, but the only one that will come up is an old copy of Jaunty Live CD. Chksum have matched on the disks and the disk integrity (the last time came up with 1 error, but it did not say where. I have used SystemRescue64, Rescue-remix for Karmic, MHDD, Ultimate boot disk, and have reformated and partitioned my 640GB drive. One partition is formated to EXT3 and the other is unallocated. Both testdisk and memtest show positive. No disk will complete a permanent install. At least one error shuts it down even after fixing broken packages and sometimes there are 3or 4 errors msgs. Last night the error was something in Open Office, I don't recall more than that. Here are the errors I picked out of todays logfiles. They are prety much in order as posted in the various logs:
Why is it that the darn printer keeps breaking on this thing (Ubuntu) ??? It's either every damn update that keeps messing this up. One computer is bad enough, I can't imagine having to take care of even five with this thing always screwing something up. What the hell is going on??? Yeah I'm tired of this thing always messing up the printer. Please fix this thing, separate the browsers if you have to, do whatever it takes, but please STOP messing up the printers...and I don't even print that often.Oh yeah, when you first start the OS up, the drive seems to go on for a while longer now. I only put the regular updates and don't tweak anything.
I am looking for a way to automatically block an ip address and add it to /etc/hosts.deny when they have 3 consecutive password failures or try connecting to a name that doesn't exist more than like twice to help limit the brute force attacks I am experiencing.Is there an easy way to do this already implemented in Ubuntu?
A few minutes ago I was using google chrome when suddenly the scroll-lock indicator on my keyboard turned on... I pressed the scroll-lock key, but nothing happened, the light remained. I opened a terminal and ran "top" to find what processes were running when I was automatically logged out. I logged back and checked the logs and found the following entries in my auth.log:
Code: CRON: pam_unix(cron:session): session opened for user root by (uid=0) CRON: pam_unix(cron:session): session closed for user root
Failed login attempts are logged to syslog with the user id or login id set to UNKNOWN_USER or UNSET.Anybody know if this is configurable. I would rather it just pass the actual id that the user used. Doesn't matter if it exist or not, just want to know if someone is guessing at user names and what those user names are
I googled this, to no avail. I've restarted cups, to no avail.This is a Networked Printer, but i have little doubt that can be ruled out as an issue.If i want to print an Image or Plain Text file, i get this error; if i print with OpenOffice, i do NOT get this error and it prints fine.I have also gotten a similar error, like "permission denied" or something, but i cannot recall exactly what it said, and cannot seem to recreate it at the moment.I have been getting this for quite some time now (months), but never found out why. Any ideas?
I installed Lucid (clean install after several attempts at upgrading from Karmic failed), and I have an Intel 8xx video card. I was able to get Lucid installed by adding "xforcevesa" into the command line at startup. Now I would like to try changing my computer away from Vesa and seeing if I can try to get the i915 driver working.
That being said, I cannot figure out where to go to change my kernel boot configurations. Every tutorial I've found refers me to /boot/grub/menu.lst which I cannot find. Ever since I moved from Karmic to Lucid, I've regretted it as it seems like all the How-To documentation is no longer valid, everything has been changed and moved around.
I don't know why it is dumping me onto Vesa, or why my stupid driver was blacklisted; everything was working fine under Hardy, Jaunty, and Karmic. Why problems now? Does anyone know how I can get into my boot setings and replace "xforcevesa" with something that will make the intel driver work?
How do I limit the max login attempts in the sshd_config file? I found a way to do it on Google some time back but I can't find it now. I have Denyhost already, but I really wanna do the "MAx Login Attempts" what ever it was that I was able to do in the config file.
I'm running the firestarter firewall and its been showing the odd ssh attempt quite often. e.g. I've had 4 attempts today, 3 in the last 40mins. I realize that this may be nothing to serious but it's got me curious, aside from having a secure password (which I have) is there anything that else that I can do to ensure that my system is as secure as possible from ssh? I do use ssh within my home network so I don't want to disable it completely.
Somehow an app on this box seems to have disappeared long ago which was configured to start immediatedly with a root login (eg su). Now, whenever upgrading permissions to root or logging (and assuming login as root), an error displays saying "cannot find <application>"
Considering root usually is different than other logins, am not sure where to start looking on an OpenSuSE box. I've tried without success
BASH -v to enable verbose mode before executing a "su." BASH --debugger to enable debugging mode before executing a "su."
Logout, Login as root and inspect /var/log/ hoping to find some logfile that audits the login sequence, but may be looking at a wrong logfile.