Limits and boundaries
© 2014 Dennis Leeuw dleeuw at made-it dot com
License: GPLv2 or later
User and group access can be controlled by PAM using the pam_access module. The control file is available in, as far as I know, every distribution and called /etc/security/access.conf.
You could create a simple file that makes sure that only certain groups have access to your machine:
+ : bofh : ALL + : ALL : LOCAL + : ALL : 127.0.0.0/24 - : ALL : ALL
The last line says: deny everything else. Above that we allow everything that comes from localhost, which seems reasonable, just to make sure that web-servers start etc. The first line however is the key one. This one tells that for this system only the users in the group bofh have access and no-one else.
The structure of the lines is simple. The field separator is the : and the entire line consists of 3 fields:
Limit the amount of tries a user has on the login prompt usin pam_tally:
auth required pam_tally.so onerr=fail no_magic_root account required pam_tally.so per_user deny=3 no_magic_root reset
pam_limits limits the "room" people have on the system. Through hard and soft limits one can e.g. limit a user in the amount of processes (nproc) that the user can start or the maximum number of logins (maxlogins) and a whole lot more.