CentOS has a pam_tally2.so PAM module to limit the number of logon failures. if the number of logon failures reaches the set threshold, the user is locked. Compile the PAM configuration file # vim/etc/pam. d/login # % PAM-1.0authrequired
CentOS has a pam_tally2.so PAM module to limit the number of logon failures. if the number of logon failures reaches the set threshold, the user is locked.
Compile the PAM configuration file
# Vim/etc/pam. d/login
- # % PAM-1.0
- Auth required pam_tally2.so deny = 3 lock_time = 300 even_deny_root root_unlock_time = 10
- Auth [user_unknown = ignore success = OK ignoreignore = ignore default = bad] pam_securetty.so
- Auth include system-auth
-
- Account required pam_nologin.so
- Account include system-auth
- Password include system-auth
- # Pam_selinux.so close shocould be the first session rule
- Session required pam_selinux.so close
- Session optional pam_keyinit.so force revoke
- Session required pam_loginuid.so
- Session include system-auth
- Session optional pam_lele.so
- # Pam_selinux.so open shoshould only be followed by sessions to be executed in the user context
- Session required pam_selinux.so open
Parameter description
- Even_deny_root also limits root users;
-
- Deny sets the maximum number of consecutive error logins for common and root users. if the maximum number of logon attempts is exceeded, the user is locked.
-
- Unlock_time specifies the time after which a common user can unlock the lock, in seconds;
-
- Root_unlock_time specifies the time after the root user locks the unlock, in seconds;
-
- The pam_tally2 module is used here. if pam_tally2 is not supported, the pam_tally module can be used. In addition, different pam versions may have different settings. for specific usage instructions, refer to the usage rules of relevant modules.
Under the # % PAM-1.0, that is, the second line, add content, must be written in front, if written in the back, although the user is locked, but as long as the user enter the correct password, you can still log on!
The final result is as follows:
This only limits user login from tty, but does not limit remote login. to restrict remote login, you need to change the SSHD file
# Vim/etc/pam. d/sshd
- # % PAM-1.0
- Auth required pam_tally2.so deny = 3 unlock_time = 300 even_deny_root root_unlock_time = 10
-
- Auth include system-auth
- Account required pam_nologin.so
- Account include system-auth
- Password include system-auth
- Session optional pam_keyinit.so force revoke
- Session include system-auth
- Session required pam_loginuid.so
It is also increased in 2nd rows!
View the number of user logon failures
- [Root @ node100 pam. d] # pam_tally2 -- user redhat
- Login Failures Latest failure From
- Redhat 7 07/16/12 15:18:22 tty1
Unlock a specified user
- [Root @ node100 pam. d] # pam_tally2-r-u redhat
- Login Failures Latest failure From
- Redhat 7 07/16/12 15:18:22 tty1
During this remote ssh process, no prompt is displayed. I use Xshell. I don't know if there is any prompt from other terminals. as long as the set value is exceeded, I cannot log on if I enter the correct password!