# sshd, pam, allowgroups

## CoderMan

I'm managing a remote public server running a fairly recent install of Gentoo. I've been getting a lot of attacks lately from mysterious Chinese companies that try to ssh into every imaginable username. I want to configure my system so that the only accounts that have remote ssh access are accounts that are part of a special "sshdaccess" group. I added "AllowGroups sshdaccess" to /etc/ssh/sshd_config, and restarted sshd, but sshd still gives access to even accounts that are not part of this group.

The only explanation that comes to mind is that PAM somehow overrides this setting, since "UsePAM yes" is set in sshd_config. What do I need to add to /etc/pam.d/sshd to get this functionality? I googled, but got all results that were several years old, and also only gave instructions on telling PAM to use a list of /users/, whereas I want sshd to allow access to all users of a particular /group/.

----------

## richard.scott

you could try adding this into your /etc/pam.d/system-auth at the top of the account section i.e. between auth and account:

```
account     [default=bad success=ignore] pam_succeed_if.so user ingroup sshdaccess
```

Test this with a new SSH session and make sure you keep your current session connected to the server as if it goes wrong it may lock you out totally.

Rich.Last edited by richard.scott on Tue Dec 21, 2010 3:40 pm; edited 1 time in total

----------

## eccerr0r

Not much you can do about it, they can still try and fail because they don't know the real password (are your passwords unguessable?)

It's a long standing problem, and there's several posts about it.  Basically to not see all those failed attempts you have to inconvenience yourself.  Either moving the port or doing some filtering on ip addresses that you will be authorized from.

----------

## richard.scott

I packet filter on 3 failed login attempts (as use ssh keys I know a failed attempt isn't me).

I use this script that's called from metalog:

```
#!/bin/bash

[ ! -f /sbin/shorewall ] && exit

SCRIPT_NAME="$(basename ${0} | sed 's|\./||')"

DIR="/var/lib/${SCRIPT_NAME}"

[ ! -d ${DIR} ] && mkdir -p ${DIR}

LOGGER="logger -t "${SCRIPT_NAME}""

PROCESS_NAME="${2}"

DATA="${3}"

if echo "${DATA}" | grep -E "Failed|Invalid" ; then

  case "${PROCESS_NAME}" in

    "sshd")

      case "$(echo ${DATA} | wc -w)" in

        11)

          REMOTE_IP="$(echo "${DATA}" | awk -F " " '{print $8}')"

        ;;

        9)

          REMOTE_IP="$(echo "${DATA}" | awk -F " " '{print $6}')"

        ;;

        5)

          REMOTE_IP="$(echo "${DATA}" | awk -F " " '{print $5}')"

        ;;

      esac

      echo "${DATA}" | ${LOGGER}

      [ -f ${DIR}/${REMOTE_IP} ] && TOTAL=$(cat ${DIR}/${REMOTE_IP}) || TOTAL=0

      let "TOTAL=${TOTAL} + 1"

      echo "${TOTAL}" > ${DIR}/${REMOTE_IP}

      if [ $TOTAL -ge 3 ]; then

        echo "Failed login from IP ${REMOTE_IP}" | mail -s "Failed SSH Login" root

        shorewall reject ${REMOTE_IP} | ${LOGGER}

        rm -f ${DIR}/${REMOTE_IP}

      fi

    ;;

  esac

fi

```

It's not that pretty, but does the job for me as I also have Shorewall installed which makes IP Tables easier to manage.

I have edited this section in /etc/metalog.conf to run the script when there is a password failure:

```
Password failures :

    regex    = "(password|login|authentication)\s+(fail|invalid)"

    regex    = "(failed|invalid)\s+(password|login|authentication|user)"

    regex    = "ILLEGAL ROOT LOGIN"

    logdir   = "/var/log/pwdfail"

    command  = "/root/bin/pwdfail"

```

As you can see, I save this script as /root/bin/pwdfail.

Rich

----------

