When a Linux user enters an incorrect password for Logon for N consecutive times, it is automatically locked for X minutes.

When a Linux user enters an incorrect password for Logon for N consecutive times, it is automatically locked for X minutes.

1. A user is locked for X minutes (pam_tally2) after logging on to the character terminal for N consecutive errors)

Run vim/etc/pam. d/login in the # % new line under the PAM-1.0, add auth required pam_tally2.so deny = 3 unlock_time = 5 even_deny_root root_unlock_time = 10 if the root user is not limited, you can write auth required pam_tally2.so deny = 3 unlock_time = 5even_deny_root to restrict root users. deny sets the maximum number of consecutive error logins for normal and root users. If the maximum number of Logon times is exceeded, the user is locked; unlock_time specifies the time after which a common user will be unlocked, in seconds; root_unlock_time indicates the time after which the root user will be unlocked, in seconds;

Note:
1. The pam_tally2 module is used here. If the pam_tally2 module is not supported, the pam_tally module can be used. In addition, different pam versions may have different settings. For specific usage instructions, refer to the usage rules of relevant modules.

2. You can also directly add these commands in the system-auth file. After the modification, all services that call the system-auth file will take effect. Because there is an automatic unlock time, you do not have to worry about all the restrictions, there will be a "embarrassing" situation that will never be able to log on.

3. You can use the pam_tally2-r-u username command to manually clear the number of user records.

2. When a Linux user fails to log on for N consecutive times, the system automatically locks the instance for X minutes (pam_tally)
1. If you want to restrict all users in all login methods, you can add two lines in/etc/pam. d/system-auth.

Auth required pam_tally.so onerr = fail login required pam_tally.so deny = 3 no_magic_root login per_user resetdeny sets the maximum number of consecutive error logins by normal users and root users. If the maximum number of Logon times is excee; no_magic_root is restricted to root users and does not grant special permissions to root users. For details about the parameter meanings, see/usr/share/doc/pam-xxxx/txts/README. pam_tally. If you do not want to restrict the root user, you can cancel even_deny_root_account.

2. Restrict different login methods for different services

# Only make restrictions on local text terminals. You can edit the following files and add the same content as above. Vim/etc/pam. d/login # Only limits on remote telnet and ssh login. You can edit the following files and add the same content as above. Vim/etc/pam. d/remotevim/etc/pam. d/sshd

3. Manually unlock:

# View the number of wrong logins of a user: pam_tally-user username # For example, view the number of wrong logins of a work user: pam_tally-user work # Clear the number of wrong logins of a user: pam_tally-user username-reset # For example, to clear the number of wrong logins of the work user, the pam_tally-user work-resetfaillog-r command is also supported.

4. pam_tally does not support automatic unlocking.

Because pam_tally does not have the automatic unlock function, you should pay more attention when setting the limit. If all the restrictions are imposed, and the root user is locked, you can only unlock in the single-user mode. Of course, you can also add a crontab task to enable timed automatic unlocking. However, note that if you are in/etc/pam. if pam_tally is added to the d/system-auth file, the crontab task becomes invalid when the root is locked. Therefore, it is recommended that you do not add pam_tally to the system-auth file.