Shulou(Shulou.com)06/01 Report--

Editor to share with you how Linux users log in automatically when they fail N times in a row, I believe most people don't know much about it, so share this article for your reference. I hope you will gain a lot after reading this article. Let's learn about it together.

Pam_tally

1. If you want to restrict all users in all login methods, you can add 2 lines to / etc/pam.d/system-auth

1 auth required pam_tally.so onerr=fail no_magic_root

2 account required pam_tally.so deny=3 no_magic_root even_deny_root_account per_user reset

=

After testing, it seems that the above two lines will not lock the user, but will only prompt the number of login errors (faillog-u username)

The account will be locked after modification, but it is different to check the number of login failures through faillog. You can only unlock it manually through pam_tally2-u username: pam_tally2-u username-- reset cannot be unlocked with faillog-r.

Auth required pam_tally2.so onerr=fail deny=2 no_magic_root

# account required pam_tally2.so deny=2 no_magic_root

1 deny sets the maximum number of consecutive error logins for ordinary users and root users. If the maximum number of times is exceeded, the user is locked out.

2 no_magic_root even root users are also restricted, and root is not given special permissions.

3 for the meaning of detailed parameters, see / usr/share/doc/pam-xxxx/txts/README.pam_tally

If you don't want to restrict root users, you can cancel even_deny_root_account.

2. Restrict different login methods for different services:

Only on the local text terminal to make restrictions, you can edit the following file, add the same content as above.

Vi / etc/pam.d/login

Only make restrictions on the graphical login interface, you can edit the following files, and the content added is the same as at the top.

Vi / etc/pam.d/kde

Only make restrictions on remote telnet and ssh login, you can edit the following files, and the content added is the same as above.

Vi / etc/pam.d/remote

Vi / etc/pam.d/sshd

3. Unlock manually:

Check the number of wrong logins for a user:

Pam_tally-user

For example, check the number of wrong logins for work users:

Pam_tally-user work

Clear the number of wrong logins for a user:

Pam_tally-user-reset

For example, clear the number of wrong logins for work users

Pam_tally-user work-reset

The faillog-r command is also available.

4. Pam_tally does not have automatic unlocking function.

Because pam_tally does not have the function of automatic unlocking, you should pay more attention when setting limits. In case all restrictions are made and root users are locked, you can only unlock in single-user mode. Of course, you can also add crontab tasks to achieve the function of timing automatic unlocking, but it should be noted that if pam_tally is added to the / etc/pam.d/system-auth file, when root is locked The crontab task is invalidated, so it's best not to add pam_tally to the system-auth file.

5. Add crontab tasks

The root user executes the crontab-e command, adding the following

2 * / 1 * / usr/bin/faillog-r

It means that every minute, the number of failed logins of all users is cleared and all users are unlocked.

The above is all the contents of this article entitled "how Linux users automatically lock when they fail to log in N times in a row". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.