🔒 Configuring User Login Restrictions: Simple Guide

Want to make your Alpine Linux system super secure by controlling who can log in? This guide shows you how! 😊 We’ll set up smart login rules that keep bad users out while letting good users in. 💻

🤔 What are Login Restrictions?

Login restrictions are security rules that control when, where, and how users can access your system. Think of them like security guards for your computer!

Login restrictions help with:

• 📝 Stopping unauthorized users from accessing your system
• 🔧 Limiting login times to business hours only
• 💡 Preventing brute force password attacks

🎯 What You Need

Before we start, you need:

• ✅ Root access to your Alpine Linux system
• ✅ Basic understanding of user management
• ✅ Knowledge of your security requirements
• ✅ Access to the command line interface

📋 Step 1: Understanding Login Control Files

Check Current Login Settings

Let’s see what login controls you have right now! 😊

What we’re doing: Looking at your system’s current login configuration.

# Check login definitions
cat /etc/login.defs

# View user account settings
cat /etc/passwd | head -10

# Check password policies
cat /etc/shadow | head -5

# View current login attempts
last -10

# Check failed login attempts
lastb -10 2>/dev/null || echo "No failed logins recorded"

What this does: 📖 Shows your current user login settings and history.

Example output:

PASS_MAX_DAYS   99999
PASS_MIN_DAYS   0
PASS_WARN_AGE   7
LOGIN_RETRIES   5

What this means: Your system has basic login controls in place! ✅

💡 Important Tips

Tip: Always test login restrictions with a test user first! 💡

Warning: Don’t lock yourself out of the system! ⚠️

🛠️ Step 2: Install Security Tools

Add Login Control Packages

Alpine Linux needs special tools for advanced login control! 😊

What we’re doing: Installing packages that provide login security features.

# Install PAM (Pluggable Authentication Modules)
apk add linux-pam

# Install login tracking tools
apk add shadow

# Install fail2ban for brute force protection
apk add fail2ban

# Install sudo for privilege control
apk add sudo

# Check installations
pam-config --list-modules

Code explanation:

• linux-pam: Advanced authentication system
• shadow: Password security utilities
• fail2ban: Automatic IP blocking for failed logins
• sudo: Controlled privilege escalation

Expected Output:

PAM modules available:
pam_unix.so
pam_limits.so
pam_time.so
✅ Security tools installed

What this means: Advanced security tools are ready to use! 🎉

🔧 Step 3: Set Up Time-Based Restrictions

Configure Login Hours

Time to control when users can log in! This is powerful! 🎯

What we’re doing: Setting specific hours when users are allowed to log in.

# Install PAM time module
apk add linux-pam-modules

# Create time restrictions file
cat > /etc/security/time.conf << 'EOF'
# Allow login only during business hours (8 AM to 6 PM, Monday-Friday)
login ; * ; users ; Mo-Fr0800-1800

# Allow root access anytime
login ; * ; root ; Al0000-2400

# Restrict specific user to weekends only
login ; * ; weekenduser ; Sa-Su0000-2400

# Allow admin group extended hours
login ; * ; admin ; Mo-Fr0700-2000
EOF

# Enable time restrictions in PAM
echo "account required pam_time.so" >> /etc/pam.d/login

# Test time restrictions
date
echo "Time restrictions configured! ⏰"

Code explanation:

• Mo-Fr0800-1800: Monday to Friday, 8 AM to 6 PM
• Al0000-2400: All days, all hours (24/7)
• pam_time.so: PAM module that enforces time restrictions

Good output looks like:

Time restrictions configured! ⏰
Login hours: Mon-Fri 8:00-18:00

🛠️ Step 4: Set Up Login Attempt Limits

Configure Failed Login Protection

Let’s protect against password guessing attacks! Here’s how:

What we’re doing: Setting limits on failed login attempts.

# Configure login attempt limits
cat > /etc/security/faillock.conf << 'EOF'
# Lock account after 5 failed attempts
deny = 5

# Lock for 15 minutes (900 seconds)
unlock_time = 900

# Reset failed count after 10 minutes
fail_interval = 600

# Don't lock root account
even_deny_root = false
EOF

# Enable faillock in PAM
cat >> /etc/pam.d/login << 'EOF'
# Account lockout for failed attempts
auth required pam_faillock.so preauth
auth sufficient pam_unix.so
auth [default=die] pam_faillock.so authfail
account required pam_faillock.so
EOF

# Start fail2ban service
rc-update add fail2ban
rc-service fail2ban start

# Check faillock status
faillock --user testuser

What this does: Automatically locks accounts after too many failed attempts! 🌟

Configure IP-Based Restrictions

Let’s control which computers can connect:

What we’re doing: Restricting logins based on network location.

# Configure hosts.allow (allowed IPs)
cat > /etc/hosts.allow << 'EOF'
# Allow SSH from local network
sshd: 192.168.1.0/24

# Allow specific admin IPs
sshd: 203.0.113.10
sshd: 203.0.113.20

# Allow localhost
ALL: 127.0.0.1
EOF

# Configure hosts.deny (blocked IPs)
cat > /etc/hosts.deny << 'EOF'
# Block all other SSH connections
sshd: ALL

# Log denied attempts
ALL: ALL: spawn /bin/echo "$(date) %c %d" >> /var/log/denied.log
EOF

# Test access controls
echo "IP restrictions configured! 🌐"
cat /etc/hosts.allow

Code explanation:

• 192.168.1.0/24: Allows entire local network
• sshd: ALL: Blocks all SSH connections not explicitly allowed
• IP restrictions protect against remote attacks

📊 Quick Summary Table

🎮 Practice Time!

Let’s practice what you learned! Try these simple examples:

Example 1: Create Test User with Restrictions 🟢

What we’re doing: Making a test user to verify our restrictions work.

# Create test user
adduser testuser

# Set password
echo "testuser:testpass123" | chpasswd

# Add time restrictions for test user
echo "login ; * ; testuser ; Mo-Fr0900-1700" >> /etc/security/time.conf

# Test login (during allowed hours)
su - testuser -c "whoami"

# Check restriction status
echo "Test user created with restrictions! ✅"

What this does: Creates a user you can safely test restrictions with! 🌟

Example 2: Monitor Login Activity 🟡

What we’re doing: Setting up logging to track who logs in when.

# Create login monitoring script
cat > /usr/local/bin/login-monitor.sh << 'EOF'
#!/bin/bash

# Log successful logins
echo "$(date): User $PAM_USER logged in from $PAM_RHOST" >> /var/log/logins.log

# Check for suspicious activity
if [ "$(date +%H)" -lt 6 ] || [ "$(date +%H)" -gt 22 ]; then
    echo "ALERT: Off-hours login by $PAM_USER at $(date)" >> /var/log/security-alerts.log
fi
EOF

chmod +x /usr/local/bin/login-monitor.sh

# Add to PAM session
echo "session optional pam_exec.so /usr/local/bin/login-monitor.sh" >> /etc/pam.d/login

# View login logs
tail -f /var/log/logins.log

What this does: Tracks all login activity and alerts on suspicious times! 📚

🚨 Fix Common Problems

Problem 1: User locked out permanently ❌

What happened: Account locked due to failed attempts. How to fix it: Unlock the account manually!

# Check lock status
faillock --user username

# Unlock specific user
faillock --user username --reset

# Unlock all users
faillock --reset

# Check if unlocked
faillock --user username

Problem 2: Time restrictions not working ❌

What happened: PAM time module not properly configured. How to fix it: Check PAM configuration!

# Verify PAM time module
grep pam_time /etc/pam.d/login

# Check time.conf syntax
cat /etc/security/time.conf

# Test with debug output
echo "account required pam_time.so debug" >> /etc/pam.d/login

Problem 3: Can’t login from allowed IP ❌

What happened: hosts.allow configuration error. How to fix it: Check IP address format!

# Check current IP
ip addr show

# Verify hosts.allow format
cat /etc/hosts.allow

# Test with specific IP
echo "sshd: $(ip route get 1 | awk '{print $7}')" >> /etc/hosts.allow

Don’t worry! These problems happen to everyone. You’re doing great! 💪

💡 Simple Tips

1. Test with non-admin users 📅 - Don’t test restrictions with root account
2. Keep backup access 🌱 - Always have another way to get in
3. Document your rules 🤝 - Write down what restrictions you set
4. Monitor logs regularly 💪 - Check login attempts and failures

✅ Check Everything Works

Let’s make sure everything is working:

# Test time restrictions
grep pam_time /etc/pam.d/login

# Check faillock configuration
cat /etc/security/faillock.conf

# View recent login attempts
last -5

# Check security status
echo "Login restrictions active! 🔒"
faillock --user testuser

Good output:

account required pam_time.so
deny = 5
unlock_time = 900
Login restrictions active! 🔒
No failed logins for testuser

🏆 What You Learned

Great job! Now you can:

• ✅ Set up time-based login restrictions
• ✅ Configure failed login attempt protection
• ✅ Control access by IP address
• ✅ Monitor and log login activity!

🎯 What’s Next?

Now you can try:

• 📚 Learning about two-factor authentication
• 🛠️ Setting up certificate-based login
• 🤝 Configuring LDAP authentication
• 🌟 Building automated security monitoring!

Remember: Every security expert was once a beginner. You’re doing amazing! 🎉

Keep practicing and you’ll become an expert too! 💫