-4

Would this be best done through PAM?

mbx
  • 454
  • 9
  • 21
atx
  • 1,281
  • 1
  • 9
  • 26
  • 10
    Can we get a bit of background? What are you trying to protect against? – Bittrance Mar 21 '11 at 22:15
  • 4
    It would be best not done. Limiting SSH authentication failures, sure, but connections? Why? – ceejayoz Mar 21 '11 at 23:56
  • 3
    Agreed with the others - asking how to do a rather unusual configuration without providing background and assurance that this is actually what you want to do probably won't get you a meaningful answer. – growse Mar 22 '11 at 00:28
  • 6
    Daily amount of what? CPU time? Login time? Number of connections? Bandwidth used? Why would be nice too, because it is possible someone else solved the problem, and they may have chosen a different (possibly better, possibly worse) approach. – Slartibartfast Mar 22 '11 at 04:56
  • I'm not trying to protect against anything. This is simply out of curiosity. @Slartibartfast - Number of connections. Not sure how that was in any way vague. – atx Mar 22 '11 at 09:42
  • 1
    Answering this question is rather difficult because the question is vague. As others pointed out, more information would help. – blueben Mar 27 '11 at 02:20
  • There is no reason for there to be any more information, had I said, 'Limiting ssh connections within a 10 minute range', that would simply be no different, just that the time has been changed to a single day. If you don't know the answer - move along. David's answer seems to be best here, but I'll see what other people come up with. – atx Mar 28 '11 at 12:22

6 Answers6

11

You can do this in many ways. You can limit how many times a user can connect via SSH by using the pam_tally (better pam_tally2) module with something like

auth     required       pam_tally.so deny=10 unlock_time=60 per_user

which limits every user to 10 logins / minute.

This is of course not blocking the connection to the SSH daemon in any way. To do that you should use netfilter and the recent module

iptables -A INPUT -tcp --dport 22 -m state --state NEW -m recent --set
iptables -A INPUT -tcp --dport 22 -m state --state NEW -m recent --update --hitcount 10 --seconds 20 -j DROP

Which limits every host (regardless of a succesful or unsuccesful login) to 10 connections every 20 seconds.

You can make PAM reset the iptables counter by writing a script (executed by pam_exec.so) which does echo "-IPaddress" > /proc/net/xt_recent/nameoftherecentlist or add an untrusted host doing the same but with echo "+IPaddress" > ...

More information can be found at: http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_tally.html and http://www.debian-administration.org/articles/187 and of course with the man command.

David Costa
  • 628
  • 6
  • 21
  • Looks like this is the best method. I'll mark it as the chosen answer if nobody comes up with anything else. – atx Mar 29 '11 at 09:17
1

I think PAM is the answer here, that's typically where you put any kind of system-wide authentication hooks.

I don't know of any existing PAM module that does what you want, but there is a module called pam_exec which lets you use an external script. You could write a script that accepts / rejects users on whatever criteria. This is definitely far easier than trying to implement your own module in C.

For this particular case your script can parse the output of last and count how many times the user has logged in today.

Kamil Kisiel
  • 12,184
  • 7
  • 48
  • 69
1

To answer the question you asked:

Would this be best done through PAM?

No.

John Gardeniers
  • 27,458
  • 12
  • 55
  • 109
  • 1
    This is a completely unhelpful answer, and obviously untrue given numerous other answers spell out how PAM can help with this. – blueben Mar 27 '11 at 02:19
  • 2
    @blueben, if you want a better answer then you should suggest to the OP that he asks a better question. As for those "numerous other answers" that spell out how PAM can be used. I see just two that mention PAM and only one of those suggests that PAM is the way to go. My answer addresses the question. It is also correct in that PAM is *not* the best way to achieve the desired results. – John Gardeniers Mar 27 '11 at 08:33
  • If you look above, you will find that I did in fact suggest that the OP not be so vague. – blueben Mar 28 '11 at 07:12
1

Another slightly bizarre way, admittedly, could be to run a script in /etc/bash.bashrc or /etc/profile which counts logins in 24hr period and drops them if they exceed a set number. Every time a shell is called by a user it simply increments.

jscott
  • 24,484
  • 8
  • 79
  • 100
Jonathan Ross
  • 2,183
  • 11
  • 14
0

You could do this via a sufficiently capable external load-balancer, something like a Zeus ZXTM, Cisco ACE or perhaps a Brocade/Foundry ServerIron.

Chopper3
  • 101,299
  • 9
  • 108
  • 239
0

Open-SSH sshd_config provides a variable to limit the number of concurrent unauthenticated connections alive... (MaxStartups) http://unixhelp.ed.ac.uk/CGI/man-cgi?sshd_config

But I assume you mean max number of open connections??

Ok assuming it is just the no of connections in a day you could do this in a cron job

export ssh_sess_count=grep 'Accepted password' /var/log/secure | grep sshd |wc -l

if [ $ssh_sess_count -gt 10]

then

service ssh stop

fi

Of course this assumes your settings for logrotate are to keep a logfile per day basis. And you will have to change the count and service name(depending on your box)

Now that should get me the 50 points huh??

Software Mechanic
  • 231
  • 1
  • 9