Linux has a pam_tally2.so Pam module that limits the number of user logon failures and, if the number reaches the set threshold, locks the user.
Compiling Pam's configuration file
# Vim/etc/pam.d/login
#%pam-1.0
auth required pam_tally2.so deny=3 lock_time=300 even_deny_root root_unlock_time=
Auth [user_unknown=ignore success=ok ignoreignore=ignore Default=bad] pam_securetty.so
auth include System-auth
account required pam_nologin.so
account include System-auth
password include system-auth
# pam_selinux.so Close should
is the ' the ' required pam_selinux.so close
session optional pam_keyinit.so Force revoke
session Required pam_loginuid.so
session include System-auth
session Optional pam_console.so # pam_selinux.so Open should only is followed by sessions to being executed in the
user context
session required pam_selinux.so Open
Explanation of the parameters
Even_deny_root also restricts root users, and deny sets the maximum number of consecutive error logons for both normal users and root users, and then locks the user
Unlock_time Set the normal user lock, how much time after the unlock, the unit is seconds;
Root_unlock_time Set the root user lock, how much time after the unlock, the unit is seconds;
pam_tally2 module is used here, if PAM_ is not supported Tally2 can use the pam_tally module. In addition, different Pam versions, settings may be different, the specific use of methods, you can refer to the use of the relevant module rules.
Under the #%pam-1.0, that is, the second line, add content, must be written in front, if written in the back, although the user is locked, but as long as the user entered the correct password, or can log in!
The final effect is the following figure
This only limits the user to log on from the TTY, without restricting remote logins, and if you want to limit remote logins, you need to change sshd files
# vim/etc/pam.d/sshd
#%pam-1.0
auth required pam_tally2.so deny=3 unlock_time=300 even_deny_root root_unlock _time=10
auth include system-auth
account required pam_nologin.so
account include system-auth
password include System-auth
session Optional Pam _keyinit.so Force revoke
session include System-auth
session required PAM_ Loginuid.so
The same is added in line 2nd!
To view the number of user logon failures
[root@node100 pam.d]# pam_tally2--user Redhat
Login Failures Latest failure from
Redhat 7 07/16/12 15:18:22 tty1
Unlock the specified user
[Root@node100 pam.d]# pam_tally2-r-u redhat
Login Failures Latest failure from
Redhat 7 07/16/12 15:18:22 tty1
This remote SSH time, no hint, I use is Xshell, do not know other terminals have no hint, as long as the value of the set, the input of the correct password is not landing!
This article comes from "Acridine a Pooh" blog, please be sure to keep this source http://gm100861.blog.51cto.com/1930562/932527