CentOS use Pam to lock multiple login failed users tutorial

Linux has a pam_tally2.so Pam module that limits the number of user logon failures and, if the number reaches the set threshold, locks the user.

Compiling Pam's configuration file

# Vim/etc/pam.d/login

#%pam-1.0 Auth

Required pam_tally2.so

deny=3lock_time=300

Even_deny_root root_unlock_time=10

Auth [User_unknown=ignoresuccess=okignoreignore=ignore Default=bad] Pam_securetty.so

Auth include System-auth

Account Required Pam_nologin.so

Account include System-auth password

Include System-auth

# pam_selinux.so Close should being the

Required pam_selinux.so Close Session optional pam_keyinit.so Force revoke

Session required pam_loginuid.so session include System-auth

Session Optional Pam_console.so

# pam_selinux.so Open should only is followed by sessions to being executed in the user context

Session Required Pam_selinux.so Open

Explanation of the parameters

Even_deny_root also restricts root users, deny sets the maximum number of consecutive error logs for ordinary users and root users, exceeding the maximum number of times, then locks the user Unlock_time set the normal user lock, after how much time to unlock, The unit is seconds; Root_unlock_time sets the root user lock, the number of times after the unlock, the unit is seconds; Pam_tally2 modules are used here, and pam_tally modules are available if Pam_tally2 is not supported. In addition, different Pam versions, settings may be different, the specific use of methods, you can refer to the use of the relevant module rules.

Under the #%pam-1.0, that is, the second line, add content, must be written in front, if written in the back, although the user is locked, but as long as the user entered the correct password, or can log in!

The final effect is the following figure

This only limits the user to log on from the TTY, without restricting remote logins, and if you want to limit remote logins, you need to change sshd files

# vim/etc/pam.d/sshd

#%pam-1.0 Auth Required pam_tally2.so deny=3unlock_time=300

Even_deny_root root_unlock_time=10 Auth Includesystem-auth

Account Required Pam_nologin.so

Account Includesystem-auth password include System-auth

Session optional pam_keyinit.so Force revoke

Session include System-auth session required pam_loginuid.so

The same is added in line 2nd!

To view the number of user logon failures

[Root@node100 PAM.D]

# pam_tally2--user Redhat Login

Failures Latest failure from

REDHAT7 07/16/12 15:18:22 tty1

Unlock the specified user

[Root@node100 PAM.D]

# pam_tally2-r-U redhat Login

Failures Latest failure from

Redhat 7 07/16/12 15:18:22 tty1

This remote SSH time, no hint, I use is Xshell, do not know other terminals have no hint, as long as the value of the set, the input of the correct password is not landing!

--> --> -->