CentOS limits the number of remote attempt passwords

There is a pam_tally2.so Pam module in CentOS to limit the number of user logon failures, and if the number of times reaches the set threshold, the user is locked out.

Compiling the PAM configuration file

# Vim/etc/pam.d/login

1#%pam-1.0 2Auth Required pam_tally2.so deny=3Lock_time= -Even_deny_root root_unlock_time=Ten 3Auth [User_unknown=ignore Success=ok Ignoreignore=ignoredefault=Bad ] pam_securetty.so4Auth include system-Auth5  6 Account Required pam_nologin.so7Account include system-Auth8Password include system-Auth9 # pam_selinux.so Close should be the first session ruleTen session required pam_selinux.so close One Session optional pam_keyinit.so Force revoke A Session Required Pam_loginuid.so -Session include system-Auth - Session Optional Pam_console.so the# pam_selinux.so Open should only being followed by sessions to be executedinchThe user Context -Session Required Pam_selinux.so Open

Explanation of each parameter

Even_deny_root    also restricts the root user  ,           and deny sets the maximum number of consecutive error logins for regular users and root users, and the maximum number of times to lock the user  Unlock_time        Set the normal user lock, after how much time to unlock, the unit is the second,  root_unlock_time      set the root user lock, how much time after the unlock, the unit is seconds;  here is the Pam_tally2 module, if not supported PAM_ Tally2 can use the pam_tally module. In addition, different Pam version, the settings may be different, specific use of methods, you can refer to the use of the relevant module rules.

Under #%pam-1.0, that is, the second line, add content, must be written in front, if written in the back, although the user is locked, but as long as the user entered the correct password, or can log in!

The final effect is as

This only restricts the user from TTY login, without restricting telnet, if you want to restrict Telnet, you need to change the sshd file

# vim/etc/pam.d/sshd

1#%pam-1.0 2Auth Required pam_tally2.so deny=3Unlock_time= -Even_deny_root root_unlock_time=Ten 3  4Auth include system-Auth5 Account Required pam_nologin.so6Account include system-Auth7Password include system-Auth8 Session optional pam_keyinit.so Force revoke9Session include system-AuthTenSession Required Pam_loginuid.so

The same is added on line 2nd!

To view the number of user logon failures

[Email protected] pam.d]# pam_tally2-user redhat Login           failures Latest               -Failure from Redhat  7    /+/::  

Unlock specified user

[Email protected] pam.d]# pam_tally2-r-u redhat Login           failures Latest failure from     redhat               C18>7    /+/::  

This remote SSH time, no hint, I use is Xshell, do not know other terminal has not prompted, as long as the value of more than set, enter the correct password is not landing!

CentOS limits the number of remote attempt passwords