HowTo: Configure Linux To Track and Log Failed Login Attempt Records

Under Linux operating system you can use the faillog command to display faillog records or to set login failure limits. faillog command displays the contents of the failure log from /var/log/faillog database file. It also can be used for maintains failure counters and limits. If you run faillog command without arguments, it will display only list of user faillog records who have ever had a login failure.

PAM Settings

I found that under RHEL / CentOS Linux 5.x, you need to modify /etc/pam.d/system-auth file. You need to configure a PAM module pam_tally.so. Otherwise faillog command will never display failed login attempts.

PAM Configuration To Recored Failed Login Attempts

pam_tally.so module maintains a count of attempted accesses, can reset count on success, can deny access if too many attempts fail. Edit /etc/pam.d/system-auth file, enter:# vi /etc/pam.d/system-auth
Modify as follows:auth required pam_tally.so no_magic_root
account required pam_tally.so deny=3 no_magic_root lock_time=180
Where,

• deny=3 : Deny access if tally for this user exceeds 3 times.
• lock_time=180 : Always deny for 180 seconds after failed attempt. There is also unlock_time=n option. It allow access after n seconds after failed attempt. If this option is used the user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts. Otherwise the account is locked until the lock is removed by a manual intervention of the system administrator.
• magic_root : If the module is invoked by a user with uid=0 the counter is not incremented. The sys-admin should use this for user launched services, like su, otherwise this argument should be omitted.
• no_magic_root : Avoid root account locking, if the module is invoked by a user with uid=0
  

Save and close the file.

How Do I Display All Failed Login Attempts For a User Called vivek?

Type the command as follows:# faillog -u vivek

Login       Failures Maximum Latest                   On
vivek           3        0   12/19/07 14:12:53 -0600  64.11.xx.yy

Taks: Show Faillog Records For All Users

Type the following command with the -a option:# faillog -a

Task: Lock Account

To lock user account to 180 seconds after failed login, enter:# faillog -l 180 -u vivek
# faillog -l 180

Task: Set Maximum Number of Login Failures

The -m option is allows you to set maximum number of login failures after the account is disabled to specific number called MAX. Selecting MAX value of 0 has the effect of not placing a limit on the number of failed logins. The maximum failure count should always be 0 for root to prevent a denial of services attack against the system:# faillog -M MAX -u username
# faillog -M 10 -u vivek

How do I Reset The Counters Of Login Failures?

The -r option can reset the counters of login failures or one record if used with the -u USERNAME option:# faillog -r
To reset counter for user vivek, enter:# faillog -r -u vivek
On large Linux login server, such as University or government research facility, one might find it useful to clear all counts every midnight or week from a cron job.# crontab -e
Reset failed login recover every week:@weekly /usr/bin/faillog -r
Save and close the file.

Recommended readings:

=> Read the pam_tally, faillog and pam man pages:$ man pam_tally
$ man tally
$ man faillog

Install Bacula in CentOS 6.4

In this how-to i am using MySQL for database, you can use either PostgreSQL or MySQL. My Backup server hostname and IP Address are “backup.unixmen.local” and “192.168.1.200/24″ respectively.

[root@server ~]# yum install bacula-director-mysql bacula-console bacula-client bacula-storage-mysql mysql-server mysql-devel -y

Start MySQL service and create root password for mysql.

Note: In this tutorial, i am using password as “centos” wherever i need to setup password . Define your own.

[root@server ~]# /etc/init.d/mysqld start

[root@server ~]# chkconfig mysqld on

[root@server ~]# mysqladmin -u root password centos

Next run the following commands one by one to create necessary tables for bacula. Here “-u root” means that login with root account and “-p” means prompt for mysql password i.e “centos” in this case.

[root@server ~]# /usr/libexec/bacula/grant_mysql_privileges -u root -p

[root@server ~]# /usr/libexec/bacula/create_mysql_database -u root -p

[root@server ~]# /usr/libexec/bacula/make_mysql_tables -u root -p

[root@server ~]# /usr/libexec/bacula/grant_bacula_privileges -u root -p

Now change the bacula user password.

[root@server ~]# mysql -u root -p

Enter password:

Welcome to the MySQL monitor.  Commands end with ; or \g.

Your MySQL connection id is 7

Server version: 5.1.67 Source distribution

Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective

owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> UPDATE mysql.user SET password=PASSWORD("centos") WHERE user='bacula';

Query OK, 2 rows affected (0.01 sec)

Rows matched: 2  Changed: 2  Warnings: 0

mysql> FLUSH PRIVILEGES;

Query OK, 0 rows affected (0.00 sec)

mysql> quit

Now update all the configuration files with new password and addresses as shown below.

Update Bacula director

[root@server ~]# vi /etc/bacula/bacula-dir.conf

Director {                            # define myself

  Name = bacula-dir

  DIRport = 9101                # where we listen for UA connections

  QueryFile = "/usr/libexec/bacula/query.sql"

  WorkingDirectory = "/var/spool/bacula"

  PidDirectory = "/var/run"

  Maximum Concurrent Jobs = 1

  Password = "centos"         # Console password

  Messages = Daemon

# Client (File Services) to backup

Client {

  Name = bacula-fd

  Address = backup.unixmen.local

  FDPort = 9102

  Catalog = MyCatalog

  Password = "centos"          # password for FileDaemon

  File Retention = 30 days            # 30 days

  Job Retention = 6 months            # six months

  AutoPrune = yes                     # Prune expired Jobs/Files

}

# Definition of file storage device

Storage {

  Name = File

# Do not use "localhost" here

  Address = backup.unixmen.local                # N.B. Use a fully qualified name here

  SDPort = 9103

  Password = "centos"

  Device = FileStorage

  Media Type = File

}

# Generic catalog service

Catalog {

  Name = MyCatalog

# Uncomment the following line if you want the dbi driver

# dbdriver = "dbi:sqlite3"; dbaddress = 127.0.0.1; dbport =

  dbname = "bacula"; dbuser = "bacula"; dbpassword = "centos"

}

Console {

  Name = bacula-mon

  Password = "centos"

  CommandACL = status, .status

}

Update Bacula console

[root@server ~]# vi /etc/bacula/bconsole.conf

Director {

  Name = bacula-dir

  DIRport = 9101

  address = localhost

  Password = "centos"

}

Update the Storage Daemon

[root@server ~]# vi /etc/bacula/bacula-sd.conf

Director {

  Name = bacula-dir

  Password = "centos"

}

##Delete the following lines (Do not uncomment). As i installed centos minimal server, i don't have a GUI mode, so that i deleted the following section##

# Restricted Director, used by tray-monitor to get the

#   status of the storage daemon

#

Director {

  Name = bacula-mon

  Password = "@@MON_SD_PASSWORD@@"

  Monitor = yes

}

Device {

  Name = FileStorage

  Media Type = File

  Archive Device = /mybackup

  LabelMedia = yes;                   # lets Bacula label unlabeled media

  Random Access = Yes;

  AutomaticMount = yes;               # when device opened, read it

  RemovableMedia = no;

  AlwaysOpen = no;

}

Update the file daemon

[root@server ~]# vi /etc/bacula/bacula-fd.conf

# List Directors who are permitted to contact this File daemon

#

Director {

Name = bacula-dir

Password = "centos"

}

##Delete (do not uncomment) these lines if you only using CUI mode in Backup server ##

# Restricted Director, used by tray-monitor to get the

#   status of the storage daemon

#

Director {

Name = bacula-mon

Password = "@@MON_SD_PASSWORD@@"

Monitor = yes

}

As i mentioned in the above configuration that my archive data path is “/mybackup”. So lets create a directory called “mybackup”.

[root@server ~]# mkdir /mybackup

[root@server ~]# chown bacula /mybackup

Now we finished all passwords and address modifications. Next restart all bacula daemons.

[root@server ~]# /etc/init.d/bacula-dir start

Starting bacula-dir:                                       [  OK  ]

[root@server ~]# /etc/init.d/bacula-fd start

Starting bacula-fd:                                        [  OK  ]

[root@server ~]# /etc/init.d/bacula-sd start

Starting bacula-sd:                                        [  OK  ]

[root@server ~]# chkconfig bacula-dir on

[root@server ~]# chkconfig bacula-fd on

[root@server ~]# chkconfig bacula-sd on

Bacula is running successfully now. You can now add clients, jobs and volumes by updating the bacula config files. Alternatively you can use webmin for this purpose. It is quite easy then updating the config files manually.

Download and install webmin

[root@server ~]# wget http://prdownloads.sourceforge.net/webadmin/webmin-1.620-1.noarch.rpm

[root@server ~]# rpm -ivh webmin-1.620-1.noarch.rpm

[root@server ~]# /etc/init.d/webmin start

[root@server ~]# chkconfig webmin on

Now you can login through webmin by “//http://server-ip-address or server-domain-name:10000/”. If you want to access the bacula server through webmin, allow the webmin port “10000″ and bacula ports “9101″, “9102″, “9103″ through your firewall or router.

Add these following lines in your iptables config file.

[root@server ~]# vi /etc/sysconfig/iptables

-A INPUT -p udp -m state --state NEW --dport 10000 -j ACCEPT

-A INPUT -p tcp -m state --state NEW --dport 10000 -j ACCEPT

-A INPUT -p udp -m state --state NEW --dport 9101 -j ACCEPT

-A INPUT -p tcp -m state --state NEW --dport 9101 -j ACCEPT

-A INPUT -p udp -m state --state NEW --dport 9102 -j ACCEPT

-A INPUT -p tcp -m state --state NEW --dport 9102 -j ACCEPT

-A INPUT -p udp -m state --state NEW --dport 9103 -j ACCEPT

-A INPUT -p tcp -m state --state NEW --dport 9103 -j ACCEPT

Restart iptables.

[root@server ~]# service iptables restart

- See more at: http://www.unixmen.com/install-and-configure-bacula-server-in-centos-6-4-rhel-6-4/#sthash.LYryvhLe.dpuf

Install webacula bacula backup server on CentOS/RHEL, Fedora

You need to install php-ZendFramework before Webacula.

Add remi and epel repositories.

# rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
# rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-6.rpm

Install ZendFramework and Db-Adapter for Mysql

# yum --enablerepo=remi install php-ZendFramework php-ZendFramework-Db-Adapter-Pdo-Mysql

Now download webacula, untar it and move it under /usr/share

# wget http://sourceforge.net/projects/webacula/files/latest/download
# tar zxvf webacula-5.5.1.tar.gz
# mv webacula-5.5.1 /usr/share/webacula
# cd /usr/share/webacula
# cd install/
# php check_system_requirements.php

Move to the library directory and create a symlink for Zend. You will find Zend under /usr/share/php/Zend/

# cd /usr/share/webacula/library/
# ln -s /usr/share/php/Zend/ .

Open db.conf file and add the password.

# cd /usr/share/webacula/install/
# vi db.conf

This password will be used to login to webacula console.

db_name="bacula"
db_user="root"
db_pwd="mysqlroot@123"

webacula_root_pwd="baculapass"

Execute the scripts to create db tables for webcaula.

# cd /usr/share/webacula/install/MySql/
# ./10_make_tables.sh
# ./20_acl_make_tables.sh

If you have bacula installed you would probably have bacula group, if not then add it. Add apache to bacula group.

# groupadd bacula
# usermod -aG bacula apache

Allow Apache to execute bconsole file using bconsole.conf configuration file. My bconsole binary is under /usr/local/bacula/bin/

# chown root:bacula /usr/local/bacula/bin/bconsole
# chmod u=rwx,g=rx,o= /usr/local/bacula/bin/bconsole

# chown root:bacula /usr/local/bacula/bin/bconsole.conf
# chmod u=rw,g=r,o= /usr/local/bacula/bin/bconsole.conf

Edit application/config.ini and add the bacula database name and credentials. Also remove sudo path and edit bacula.bconsole binary location. The sudo path would be /sbin/sudo, remove that and left the field blank as shown below

# vi /usr/share/webacula/application/config.ini

Edit the hostname, db name, root username and password

db.adapter = PDO_MYSQL
db.config.host = localhost
db.config.username = mysqlroot@123
db.config.dbname = bacula

bacula.sudo = ""
bacula.bconsole = "/usr/local/bacula/bin/bconsole"

Copy the configuration file for Apache to /etc/httpd/conf.d

# cp /usr/share/webacula/install/apache/webacula.conf /etc/httpd/conf.d/

Edit the webacula.conf file.

# vi /etc/httpd/conf.d/webacula.conf

Add the allowed IP’s that can access webacula. If you wish to remove this restriction comment the Deny from all feild.

Allow from 192.161.150.0/255.255.255.0

or

# Deny from all

Increase values in /etc/php.ini :

# vi /etc/php.ini

Set the values for the following variables.

memory_limit = 128M
max_execution_time = 300

Restart the Apache service

# /etc/init.d/httpd restart

High Availability: Configure Piranha for HTTP, HTTPS and MySQL

Piranha is a simple yet powerful tool to manage virtual IP and service with its web-based GUI.

As refer to my previous post on how to install and configure Piranha for HTTP service: http://blog.secaserver.com/2012/07/centos-configure-piranha-load-balancer-direct-routing-method/, in this post we will complete over the Piranha configuration with HTTP and HTTPS load balancing using direct-routing with firewall marks and MySQL load balancing using direct-routing only.

HTTP/HTTPS will need to be accessed by users via virtual public IP 130.44.50.120 while MySQL service will be accessed by web servers using virtual private IP 192.168.100.30. Kindly refer to picture below for the full architecture:

All Servers

SELINUX must be turned off on all servers. Change the SELINUX configuration file at /etc/sysconfig/selinux:

SELINUX=disabled

Load Balancers

1. All steps should be done in both servers unless specified. We will install Piranha and other required packages using yum:

$ yum install piranha ipvsadm mysql -y

2. Open firewall ports as below:

$ iptables -AINPUT -mtcp -ptcp --dport3636-jACCEPT $ iptables -AINPUT -mtcp -ptcp --dport80-jACCEPT $ iptables -AINPUT -mtcp -ptcp --dport443-jACCEPT $ iptables -AINPUT -mtcp -ptcp --dport539-jACCEPT $ iptables -AINPUT -mudp -pudp --dport161-jACCEPT

3. Start all required services and make sure they will auto start if server reboot:

$ service piranha-gui start $ chkconfig piranha-gui on $ chkconfig pulse on

4. Run following command to set password for user piranha. This will be used when accessing the web-based configuration tools:

$ piranha-passwd

5. Turn on IP forwarding. Open /etc/sysctl.conf and make sure following line has value 1:

net.ipv4.ip_forward = 1

And run following command to activate it:

$ sysctl -p

6. Check whether iptables is loaded properly as the kernel module:

$ lsmod|grepip_tables ip_tables 177333iptable_filter,iptable_mangle,iptable_nat

7. Since we will need to serve HTTP and HTTPS from the same server, we need to group the traffic to be forwarded to the same destination. To achieve this, we need to mark the packet using iptables and so it being recognized correctly on the destination server. Set the iptables rules to mark all packets which destined for the same server as “80″:

$ iptables -tmangle -APREROUTING -ptcp -d130.44.50.120/32--dport80-jMARK --set-mark80 $ iptables -tmangle -APREROUTING -ptcp -d130.44.50.120/32--dport443-jMARK --set-mark80

Load Balancer #1

1. Check the IP address is correctly setup:

$ ip a | grep inet inet 130.44.50.121/28 brd 110.74.131.15 scope global eth0 inet 192.168.100.41/24 brd 192.168.10.255 scope global eth1

2. Login into Piranha at http://130.44.50.121:3636/. Login as user piranha and password which has been setup in step #4 of Load Balancers section.

3. Enable redundancy. Go to Piranha > Redundancy > Enable.

4. Enter the IP information as below:

Redundant server public IP : 130.44.50.122 Monitor NIC links for failures : Enabled Use sync daemon : Enabled

Click ‘Accept’.

5. Go to Piranha > Virtual Servers > Add > Edit. Add information as below and click ‘Accept’:

6. Next, go to Real Server. This we will put the IP address of all real servers that serve HTTP. Fill up all required information as below:

7. Now we need to do the similar setup to HTTPS. Just change the port number for ‘Application port’ to 443. For Real Server, change the real server’s destination port to 443.

8. For MySQL virtual server, enter information as below:

9. For MySQL real servers, enter information as below:

10. Configure monitoring script for MySQL virtual server. Click on ‘Monitoring Script’ and configure as below:

11. Setup the monitoring script for mysql:

$ vim/root/mysql_mon.sh

And add following line:

#!/bin/sh USER=monitor PASS=M0Npass5521 #################################################################### CMD=/usr/bin/mysqladmin IS_ALIVE=`$CMD-h$1-u$USER-p$PASSping|grep-c"alive"` if["$IS_ALIVE"= "1"]; then echo"UP" else echo"DOWN" fi

12. Change the script permission to executable:

$ chmod755/root/mysql_mon.sh

13. Now copy over the script and Piranha configuration file to load balancer #2:

$ scp/etc/sysconfig/ha/lvs.cf lb2:/etc/sysconfig/ha/lvs.cf $ scp/root/mysql_mon.sh lb2:/root/

14. Restart Pulse to activate the Piranha configuration in LB#1:

$ service pulse restart

Load Balancer #2

In this server, we just need to restart pulse service as below:

$ chkconfig pulse on $ service pulse restart

Database Cluster

1. We need to allow the MySQL monitoring user from nanny (load balancer) in the MySQL cluster. Login into MySQL console and enter following SQL command in one of the server:

mysql>GRANTUSAGEON*.*TOmonitor@'%'IDENTIFIED BY 'M0Npass5521';

2. Add the virtual IP manually using iproute:

$ /sbin/ip addradd 192.168.100.30 dev eth1

3. Add following entry into /etc/rc.local to make sure the virtual IP is up after boot:

$ echo'/sbin/ip addr add 192.168.100.30 dev eth1'>>/etc/rc.local

Attention: If you restart the interface that hold virtual IP in this server, you need to execute step #2 to bring up the virtual IP manually. VIPs can not be configured to start on boot.

4. Check the IPs in the server. Example below was taken from server Mysql1:

$ ip a | grep inet inet 130.44.50.127/24 brd 130.44.50.255 scope global eth0 inet 192.168.100.33/24 brd 192.168.100.255 scope global eth1 inet 192.168.100.30/32 scope global eth1

Web Cluster

1. On each and every server, we need to install a package called arptables_jf from yum. We will used this to manage our ARP tables entries and rules:

$ yum installarptables_jf -y

2. Add following rules respectively for every server:

Web1:

arptables -AIN -d130.44.50.120 -jDROP arptables -AOUT -d130.44.50.120 -jmangle --mangle-ip-s130.44.50.123

Web 2:

arptables -AIN -d130.44.50.120 -jDROP arptables -AOUT -d130.44.50.120 -jmangle --mangle-ip-s130.44.50.124

Web 3:

arptables -AIN -d130.44.50.120 -jDROP arptables -AOUT -d130.44.50.120 -jmangle --mangle-ip-s130.44.50.125

3. Enable arptables_jf to start on boot, save the rules and restart the service:

$ service arptables_jf save $ chkconfig arptables_jf on $ service arptables_jf restart

4. Add the virtual IP manually into the server using iproute command as below:

$ /sbin/ip addradd 130.44.50.120 dev eth0

5. Add following entry into /etc/rc.local to make sure the virtual IP is up after boot:

$ echo'/sbin/ip addr add 130.44.50.120 dev eth0'>>/etc/rc.local

Attention: If you restart the interface that hold virtual IP in this server, you need to execute step #4 to bring up the virtual IP manually. VIPs can not be configured to start on boot.

6. Check the IPs in the server. Example below was taken from server Web1:

$ ip a | grep inet inet 130.44.50.123/28 brd 110.74.131.15 scope global eth0 inet 130.44.50.120/32 scope global eth0 inet 192.168.100.21/24 brd 192.168.100.255 scope global eth1

You are now having a complete high availability MySQL and HTTP/HTTPS service with auto failover and load balance features by Piranha using direct routing method.

In this tutorial, I am not focusing on HTTPS because in this test environment I do not have SSL setup correctly and do not have much time to do that. By the way, you may use following BASH script to monitor HTTPS from Piranha (nanny):

#!/bin/bash if[$#-eq0]; then echo"host not specified" exit1 fi curl -s--insecure\ --cert/etc/crt/hostcert.pem \ --key/etc/crt/hostkey.pem \ Error! Hyperlink reference not valid. &>/dev/null if[$?-eq0]; then echo"UP" else echo"DOWN" fi

I hope this tutorial could be useful for some guys out there!