Linux has a pam_tally2.so Pam module that limits the number of user logon failures and, if the number reaches the set threshold, locks the user.
Compiling Pam's configuration file
# Vim/etc/pam.d/login
#%pam-1.0 Auth
Required pam_tally2.so
deny=3lock_time=300
Even_deny_root root_unlock_time=10
Auth [User_unknown=ignoresuccess=okignoreignore=ignore Default=bad] Pam_securetty.so
Auth include System-auth
Account Required Pam_nologin.so
Account include System-auth password
Include System-auth
# pam_selinux.so Close should being the
Required pam_selinux.so Close Session optional pam_keyinit.so Force revoke
Session required pam_loginuid.so session include System-auth
Session Optional Pam_console.so
# pam_selinux.so Open should only is followed by sessions to being executed in the user context
Session Required Pam_selinux.so Open
Explanation of the parameters
Even_deny_root also restricts root users, deny sets the maximum number of consecutive error logs for ordinary users and root users, exceeding the maximum number of times, then locks the user Unlock_time set the normal user lock, after how much time to unlock, The unit is seconds; Root_unlock_time sets the root user lock, the number of times after the unlock, the unit is seconds; Pam_tally2 modules are used here, and pam_tally modules are available if Pam_tally2 is not supported. In addition, different Pam versions, settings may be different, the specific use of methods, you can refer to the use of the relevant module rules.
Under the #%pam-1.0, that is, the second line, add content, must be written in front, if written in the back, although the user is locked, but as long as the user entered the correct password, or can log in!
The final effect is the following figure
This only limits the user to log on from the TTY, without restricting remote logins, and if you want to limit remote logins, you need to change sshd files
# vim/etc/pam.d/sshd
#%pam-1.0 Auth Required pam_tally2.so deny=3unlock_time=300
Even_deny_root root_unlock_time=10 Auth Includesystem-auth
Account Required Pam_nologin.so
Account Includesystem-auth password include System-auth
Session optional pam_keyinit.so Force revoke
Session include System-auth session required pam_loginuid.so
The same is added in line 2nd!
To view the number of user logon failures
[Root@node100 PAM.D]
# pam_tally2--user Redhat Login
Failures Latest failure from
REDHAT7 07/16/12 15:18:22 tty1
Unlock the specified user
[Root@node100 PAM.D]
# pam_tally2-r-U redhat Login
Failures Latest failure from
Redhat 7 07/16/12 15:18:22 tty1
This remote SSH time, no hint, I use is Xshell, do not know other terminals have no hint, as long as the value of the set, the input of the correct password is not landing!
--> --> -->