Shulou(Shulou.com)06/01 Report--

This article mainly introduces how CentOS uses PAM to lock users who have failed to log in many times, which has a certain reference value, and interested friends can refer to it. I hope you will gain a lot after reading this article.

Linux has a PAM module of pam_tally2.so to limit the number of login failures for a user, and lock the user if the number of times reaches a set threshold.

Compile the configuration file for PAM

# vim / etc/pam.d/login

#% PAM-1.0 auth required pam_tally2.so deny=3lock_time=300 even_deny_root root_unlock_time=10auth [user_unknown=ignoresuccess=okignoreignore=ignore default=bad] pam_securetty.so auth include system-auth account required pam_nologin.so account include system-auth password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session optional pam_keyinit.so force revoke session required pam_ Loginuid.so session include system-auth session optional pam_console.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open

Interpretation of each parameter

Even_deny_root also limits root users; deny sets the maximum number of consecutive error logins for ordinary users and root users, which exceeds the maximum number of times, then locks the user unlock_time sets the time after ordinary users lock, in seconds; root_unlock_time sets the time after root users lock, how long after unlocking, in seconds The pam_tally2 module is used here, and the pam_tally module can be used if pam_tally2 is not supported. In addition, different versions of pam may have different settings. For specific usage, you can refer to the rules for the use of relevant modules.

Under #% PAM-1.0, the second line, add content, be sure to write in front, if written in the back, although the user is locked, but as long as the user enters the correct password, you can still log in!

The final effect is as follows

This only restricts users to log in from tty, but not remote login. If you want to restrict remote login, you need to change the SSHD file.

# vim / etc/pam.d/sshd

#% PAM-1.0 auth required pam_tally2.so deny=3unlock_time=300 even_deny_root root_unlock_time=10auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so

It is also added in line 2!

Check the number of user login failures

[root@node100 pam.d] # pam_tally2-- user redhat Login Failures Latest failure From redhat 7 07 Grem16 pam_tally2 12 15:18:22 tty1

Unlock the specified user

[root@node100 pam.d] # pam_tally2-r-u redhat Login Failures Latest failure From redhat 7 07Candle 16 Candle 12 15:18:22 tty1

This remote ssh, there is no prompt, I use Xshell, I do not know whether other terminals have prompts, as long as more than the set value, enter the correct password is also unable to log in!

Thank you for reading this article carefully. I hope the article "how to use PAM to lock users who have failed to log in many times" shared by the editor will be helpful to everyone. At the same time, I also hope that you will support and follow the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.