Restrict SSH logon times under CentO

In response to the company's internal website rating requirements, system security protection is gradually being strengthened.

By default, the device automatically exits after three verification failures and ends the session. The network logon connection times out and automatically exits for five minutes;

Method 1: verified.

1. Set the ssh timeout # cd/etc/profile. d/# create two blank files autologout. csh and autologout. sh to save the TMOUT Configuration
# Touch autologout. csh
# Touch autologout. sh
# Vi autologout. sh # edit autologout. sh

 
 

  
  
# Auto out in 5 minutes
  
  
TMOUT = 300 # timeout time, in seconds
  
  
Readonly TMOUT # Set TMOUT variable read-only
  
  
Export TMOUT # Set the environment TMOUT
 
 

# Vi autologout. csh # edit autologout. csh

 
 

  
  
set -r autologout 2 
 
 

# Chmod + x autologout. * # the executable permission. In fact, only u + x is allowed.
Disconnect the Client. If you log on to the terminal again for 5 minutes, the connection will be automatically disconnected without using ssh.

2. ssh authentication frequency limit:

/Etc/ssh/sshd_config

MaxAuthTries = 3 this is only three verification errors are disconnected.

Method 2: (problems still occur during the experiment)

Principle: implemented through system pam Authentication.

1. Back up the/etc/pam. d/system_auth file and change it:

 
 

  
  

  
  
# % PAM-1.0
  
  
# This file is auto-generated.
  
  
# User changes will be destroyed the next time authconfig is run.
  
  
Auth required pam_env.so
  
  
Auth required pam_unix.so nullok try_first_pass change the original sufficient to required
  
  
# Auth requisite pam_succeed_if.so uid> = 500 quiet comment out this line
  
  
Auth required pam_tally.so deny = 3unlock_time = 300 Add a row. If the failure exceeds 3 times, log on after 5 minutes
  
  
# Auth required pam_deny.so comment out this line
  
  

  
  
Account required pam_unix.so
  
  
Account sufficient pam_succeed_if.so uid <500 quiet
  
  
Account required pam_permit.so
  
  
Account required pam_tally2.so Add a row
  
  

  
  
Password requisite pam_cracklib.so try_first_pass retry = 3
  
  
Password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
  
  
Password required pam_deny.so
  
  

  
  
Session optional pam_keyinit.so revoke
  
  
Session required pam_limits.so
  
  
Session [success = 1 default = ignore] pam_succeed_if.so service in crond quiet use_uid
  
  
Session required pam_unix.so
 
 

2. We recommend that you use the sshtest account to verify logon with incorrect passwords. View tail/var/log/secure | grep sshtest records:

Feb 22 15:21:11 SN524 sshd [4900]: Failed password for sshtest from 192.168.40.130 port 53995 ssh2
Feb 22 15:21:17 SN524 sshd [4900]: pam_tally (sshd: auth): user sshtest (503) tally 7, deny 3
Feb 22 07:21:19 SN524 sshd [4903]: Disconnecting: Too authentication failures for sshtest
Feb 22 15:21:19 SN524 sshd [4900]: Failed password for sshtest from 192.168.40.130 port 53995 ssh2
Feb 22 15:22:05 SN524 sshd [4906]: pam_unix (sshd: auth): authentication failure; logname = uid = 0 euid = 0 tty = ssh ruser = rhost = 192.168.40.130 user = sshtest

The account has been locked and cannot be logged on. Wait for 5 minutes before you can log on again.

3. Restrict SSH expiration time:

/Etc/ssh/sshd_config

ClientAliveInterval 60
ClientAliveCountMax 60

This article is from the "E people space" blog, please be sure to keep this source http://iceeggplant.blog.51cto.com/1446843/786778