CentOS uses PAM to lock multiple login failed users

CentOS uses Pam to lock multiple login failed users

Linux has a pam_tally2.so Pam module that limits the number of user logon failures and, if the number reaches the set threshold, locks the user.

Compiling Pam's configuration file

# Vim/etc/pam.d/login

?

1 2 3 4, 5 6 7 8 9 10 11 12 13 14 15

#%pam-1.0 Auth required pam_tally2.so deny=3lock_time=300 even_deny_root root_unlock_time=10 Auth [user_unknown= Ignoresuccess=okignoreignore=ignore Default=bad] pam_securetty.so auth include System-auth account required PAM_ nologin.so account include System-auth password include System-auth # pam_selinux.so close should to the E session required pam_selinux.so Close session optional pam_keyinit.so force revoke sessions required pam_loginuid.so Sess Ion include System-auth session optional pam_console.so # pam_selinux.so Open should the only being followed by sessions to being ex Ecuted in the user context session required pam_selinux.so open

Explanation of the parameters

?

1 2 3 4 5

Even_deny_root also restricts root users, deny sets the maximum number of consecutive error logs for ordinary users and root users, exceeding the maximum number of times, then locks the user Unlock_time set the normal user lock, how many times after the unlock, the unit is seconds; root_ Unlock_time set the root user lock, the number of times after the unlock, the unit is seconds; here is the Pam_tally2 module, and if Pam_tally2 is not supported, you can use the Pam_tally module. In addition, different Pam versions, settings may be different, the specific use of methods, you can refer to the use of the relevant module rules.

Under the #%pam-1.0, that is, the second line, add content, must be written in front, if written in the back, although the user is locked, but as long as the user entered the correct password, or can log in!

The final effect is the following figure

This only limits the user to log on from the TTY, without restricting remote logins, and if you want to limit remote logins, you need to change sshd files

# vim/etc/pam.d/sshd

?

1 2 3 4 5 6 7 8 9

#%pam-1.0 Auth required pam_tally2.so deny=3unlock_time=300 even_deny_root root_unlock_time=10 auth include System-auth Account required pam_nologin.so account include System-auth password include system-auth session optional pam_keyinit.so F Orce revoke session include System-auth session required pam_loginuid.so

The same is added in line 2nd!

To view the number of user logon failures

?

1 2 3

[root@node100 pam.d]# pam_tally2--user redhat Login failures Latest failure from Redhat 7 07/16/12 15:18:22 tty1

Unlock the specified user

?

1 2 3

[Root@node100 pam.d]# pam_tally2-r-u redhat Login failures Latest failure from Redhat 7 07/16/12 15:18:22 tty1

This remote SSH time, no hint, I use is Xshell, do not know other terminals have no hint, as long as the value of the set, the input of the correct password is not landing!