I heard Centos can block user based on failed logins.
http://www.cyberciti.biz/tips/lock-unlock-set-number-of-login-attempts.htmlThe post says by default it checks for /var/log/faillog how do I change this to another log file to keep trace of failed logins.
I have a Plesk-managed server. I have to check /var/log/secure and
/usr/local/psa/var/log/maillog. Can any one advise.
Answer
the faillog that page is referring to is a special file used by pma_tally. It doesnt scan logs looking for login failures.
Basically whenever you have a failed login, pam_tally records the entry in the faillog. Then whenever you go to log in, it looks in the faillog to see if you’ve exceeded the threshold. Once you have it starts refusing logins.
If you want to deny remote ssh logins based on log parsing you want either fail2ban or denyhosts. Both read logs to track login failures and add iptables or tcpwrapper deny rules to block access from the source IP (not based on user).
Attribution
Source : Link , Question Author : Antu , Answer Author : phemmer
