2017-02-19 (last updated at December 11th, 2019) Michael BoelenAuthentication 6 comments

Locking users after X failed login attempts with pam_tally2

Using pam_tally2 on Linux Most Linux distributions use pluggable authentication modules (PAM). This modular type of configuration allows system administrators to configure and fine-tune the authentication of users. It also defines the behavior on specific events, like providing an invalid user account or password. PAM can use these events to automatically take an action, like locking an account. Introduction to PAM The configuration of PAM is not that hard, but there are risks involved in the process of making changes. […]

2017-01-25 Michael BoelenAuthentication One comment

Configure the minimum password length on Linux systems

Linux and password strength One of the options to improve password security is by setting a minimum length. This prevents users from choosing easy passwords. As part of Linux system hardening, you don’t want your passwords to be cracked too quickly by modern password crackers. Configuration Login settings The first area where you can set a password length is in /etc/login.defs. The related setting is PASS_MINLEN and already tells us it is about the minimum length of a password. Modern Linux […]

2016-03-07 Michael BoelenSoftware Leave a comment

Find and Disable Insecure Services on Linux

Insecure Services on Linux The world has changed a lot in the last era, especially when it comes to computing. This applies also to the services we run on our Linux systems. Some of these services (like rlogin), were previously the defacto tools to do administration. Now they are considered to be bad and insecure. What makes a service insecure? Services can become insecure when they have characteristics like: No (or weak) authentication No (or weak) encryption Insecure protocols Running as […]

2015-12-23 (last updated at July 7th, 2018) Michael BoelenAuthentication 7 comments

Granting temporary access to your servers (using signed SSH keys)

In need of support from a colleague or vendor, but don’t want to give them permanent access? SSH has an option to allow temporary access! Next time you need to provide temporary access for an hour or day, use this great option. Configuration We have two machines for this purpose. One is a system running Arch Linux, the client system. The other one is a server, running Ubuntu Linux. For temporary support, we have created a functional account support on the […]