How to use Pam to lock multiple login failed users in Linux

Linux has a pam_tally2.so Pam module that limits the number of user logon failures and, if the number reaches the set threshold, locks the user.

Compiling Pam's configuration file

# Vim/etc/pam.d/login

#%pam-1.0
auth      required  pam_tally2.so   deny=3  lock_time=300 even_deny_root root_unlock_time=
Auth [user_unknown=ignore success=ok ignoreignore=ignore Default=bad] pam_securetty.so 
auth       include      System-auth 
     
account    required     pam_nologin.so 
account    include      System-auth 
password   include      system-auth 
# pam_selinux.so Close should 
is the ' the '    required     pam_selinux.so close 
session    optional     pam_keyinit.so Force revoke 
session    Required     pam_loginuid.so 
session    include      System-auth 
session    Optional     pam_console.so # pam_selinux.so Open should only is followed by sessions to being executed in the 
user context
  session    required     pam_selinux.so Open

Explanation of the parameters

Even_deny_root    also restricts root users,           and deny sets the maximum number of consecutive error logons for both normal users and root users, and then locks the user 
     
Unlock_time        Set the normal user lock, how much time after the unlock, the unit is seconds; 
     
Root_unlock_time      Set the root user lock, how much time after the unlock, the unit is seconds; 
     
pam_tally2 module is used here, if PAM_ is not supported Tally2 can use the pam_tally module. In addition, different Pam versions, settings may be different, the specific use of methods, you can refer to the use of the relevant module rules.

Under the #%pam-1.0, that is, the second line, add content, must be written in front, if written in the back, although the user is locked, but as long as the user entered the correct password, or can log in!

The final effect is the following figure

This only limits the user to log on from the TTY, without restricting remote logins, and if you want to limit remote logins, you need to change sshd files

# vim/etc/pam.d/sshd

#%pam-1.0
auth          required        pam_tally2.so        deny=3  unlock_time=300 even_deny_root root_unlock _time=10
     
auth       include      system-auth 
account    required     pam_nologin.so 
account    include      system-auth 
password   include      System-auth 
session    Optional     Pam _keyinit.so Force revoke 
session    include      System-auth 
session    required     PAM_ Loginuid.so

The same is added in line 2nd!

To view the number of user logon failures

[root@node100 pam.d]# pam_tally2--user Redhat

Login Failures Latest failure from

Redhat 7 07/16/12 15:18:22 tty1

Unlock the specified user

[Root@node100 pam.d]# pam_tally2-r-u redhat

Login Failures Latest failure from

Redhat 7 07/16/12 15:18:22 tty1

This remote SSH time, no hint, I use is Xshell, do not know other terminals have no hint, as long as the value of the set, the input of the correct password is not landing!

This article comes from "Acridine a Pooh" blog, please be sure to keep this source http://gm100861.blog.51cto.com/1930562/932527