Shulou(Shulou.com)05/31 Report--

This article mainly introduces how to achieve user login failure N times under Centos7 user login prohibited after the relevant knowledge, the content is detailed and easy to understand, simple and fast operation, has a certain reference value, I believe that you read this Centos7 how to achieve user login failure N times after locking user login prohibited article will have a harvest, let's take a look at it.

Preface

For a user on linux, if the user fails to log in three times in a row, the user is locked out, and the user is automatically unlocked a few minutes later. Linux has a pam module of pam_tally2.so to limit the number of login failures for a user, and lock the user if the number of times reaches a set threshold.

Introduction to the configuration file of pam

The pam configuration file can be written in two ways:

One is to write it in the / etc/pam.conf file, but in the system after centos6, this file is gone.

Another way to write it is to put the pam configuration file in the / etc/pam.d/ directory, and its rule content does not contain the service section, that is, does not contain the service name, and the name of the file in the / etc/pam.d directory is the service name. For example, vsftpd,login, etc., but the leftmost service list is missing. Such as: / etc/pam.d/sshd

The configuration file can be divided into four columns from the figure above

The first column represents the module type

The second column represents the control flag

The third column represents the module path

The fourth column represents the module parameters

1. Restrict remote login of users

Under #% pam-1.0, the second line, add content, be sure to write in front, if written in the back, although the user is locked, but as long as the user enters the correct password, you can still log in!

# vim / etc/pam.d/sshd#%pam-1.0auth required pam_tally2.so deny=3 unlock_time=300 even_deny_root root_unlock_time=10

Interpretation of each parameter

Even_deny_root also restricts root users

Deny sets the maximum number of consecutive error logins for ordinary users and root users. If the maximum number of times is exceeded, the user is locked out.

After unlock_time sets the lock for an ordinary user, how long will it take to unlock it (in seconds)

After root_unlock_time sets the root user lock, how long it takes to unlock it (in seconds)

The pam_tally2 module is used here, and the pam_tally module can be used if pam_tally2 is not supported. In addition, different versions of pam may have different settings. For specific usage, you can refer to the rules for the use of relevant modules.

2. Restrict users from logging in from tty

Under #% pam-1.0, the second line, add content, be sure to write in front, if written in the back, although the user is locked, but as long as the user enters the correct password, you can still log in!

# vim / etc/pam.d/login#%pam-1.0auth required pam_tally2.so deny=3 lock_time=300 even_deny_root root_unlock_time=10

It is also added in line 2!

3. Check the number of user login failures

# cd / etc/pam.d/ [root@node100 pam.d] # pam_tally2-- user rootlogin failures latest failure fromroot 7 07 _ 16 _ 15:18:22 tty1

4. Unlock the specified user

[root@node100 pam.d] # pam_tally2-r-u rootlogin failures latest failure from on "how to lock users and disable login after N login failures in Centos7" is the end of this article. Thank you for reading! I believe that everyone has a certain understanding of the knowledge of "how to achieve user login failure N times after user login failure" knowledge, if you still want to learn more knowledge, welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.