Shulou(Shulou.com)06/02 Report--

Preface

For a user on linux, if the user fails to log in three times in a row, the user is locked out, and the user is automatically unlocked a few minutes later. Linux has a PAM module of pam_tally2.so to limit the number of login failures for a user, and lock the user if the number of times reaches a set threshold.

Introduction to the configuration file of PAM

The PAM configuration file can be written in two ways:

One is to write it in the / etc/pam.conf file, but in the system after centos6, this file is gone.

Another way to write it is to put the PAM configuration file in the / etc/pam.d/ directory, and its rule content does not contain the service section, that is, does not contain the service name, and the name of the file in the / etc/pam.d directory is the service name. For example, vsftpd,login, etc., but the leftmost service list is missing. Such as: / etc/pam.d/sshd

The configuration file can be divided into four columns from the figure above

The first column represents the module type, the second column represents the control tag, the third column represents the module path, and the fourth column represents the module parameters.

1. Restrict remote login of users

Under #% PAM-1.0, the second line, add content, be sure to write in front, if written in the back, although the user is locked, but as long as the user enters the correct password, you can still log in!

# vim / etc/pam.d/sshd#%PAM-1.0auth required pam_tally2.so deny=3 unlock_time=300 even_deny_root root_unlock_time=10

Interpretation of each parameter

Even_deny_root also limits root users; deny sets the maximum number of consecutive error logins for ordinary users and root users, which exceeds the maximum number of times, then locks the user unlock_time sets the time after ordinary users lock, in seconds; root_unlock_time sets the time after root users lock, how long after unlocking, in seconds

The pam_tally2 module is used here, and the pam_tally module can be used if pam_tally2 is not supported. In addition, different versions of pam may have different settings. For specific usage, you can refer to the rules for the use of relevant modules.

2. Restrict users from logging in from tty

Under #% PAM-1.0, the second line, add content, be sure to write in front, if written in the back, although the user is locked, but as long as the user enters the correct password, you can still log in!

# vim / etc/pam.d/login#%PAM-1.0auth required pam_tally2.so deny=3 lock_time=300 even_deny_root root_unlock_time=10

It is also added in line 2!

3. Check the number of user login failures

# cd / etc/pam.d/ [root@node100 pam.d] # pam_tally2-- user rootLogin Failures Latest failure Fromroot 7 07 _ 16 _ 15:18:22 tty1

4. Unlock the specified user

[root@node100 pam.d] # pam_tally2-r-u rootLogin Failures Latest failure From

Summary

The above is the whole content of this article, I hope that the content of this article has a certain reference and learning value for your study or work, if you have any questions, you can leave a message and exchange, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.