For linux users, if the user fails to log on three times in a row, the user will be locked. after a few minutes, the user will automatically unlock the PAM module of pam_tally2.so in Linux, to limit the number of user logon failures. if the number of logon failures reaches the set threshold, the user is locked. # Vim/etc/pam. d/login1
For linux users, if the user fails to log on three times in a row, the user will be locked and the user will be automatically unlocked several minutes later.
Linux has a pam_tally2.so PAM module to limit the number of logon failures. if the number of logon failures reaches the set threshold, the user is locked.
# Vim/etc/pam. d/login
12345678910111213141516 |
# % PAM-1.0auth required login deny = 3 lock_time = 300 login root_unlock_time = 10 auth [user_unknown = ignore success = OK ignoreignore = ignore default = bad] must include system-auth account required login include system -authpassword include system-auth # Please close shocould be the first session rulesession required when closesession optional then force revokesession required When include system-authsession optional pam_console.so # Your open shocould only be followed by sessions be executed in the user contextsession required pam_selinux.so open |
Parameter description
1234567 |
Even_deny_root also limits root users. deny sets the maximum number of consecutive error logins for common users and root users. if the maximum number of logon times is exceeded, the unlock_time parameter of the user is set to unlock after the common user is locked, the unit is seconds; the value of root_unlock_time is seconds; |
The pam_tally2 module is used here. if pam_tally2 is not supported, the pam_tally module can be used. In addition, different pam versions may have different settings. for specific usage instructions, refer to the usage rules of relevant modules.
Under the # % PAM-1.0, that is, the second line, add content, must be written in front, if written in the back, although the user is locked, but as long as the user enter the correct password, you can still log on!
The final result is as follows:
For linux users, if the user fails to log on three times in a row, the user will be locked and the user will be automatically unlocked several minutes later.
This only limits user login from tty, but does not limit remote login. to restrict remote login, you need to change the SSHD file
# Vim/etc/pam. d/sshd
12345678910 |
# % PAM-1.0auth required pam_tally2.so deny = 3 lock_time = 300 login root_unlock_time = 10 auth include system-authaccount required login include system-authpassword include system-authsession optional authentication force revokesession include system-authsession required response |
It is also increased in 2nd rows!
View the number of user logon failures
# Cd/etc/pam. d/
123 |
[Root @ node100 pam. d] # pam_tally2 -- user rootLogin Failures Latest failure Fromroot 7 07/16/12 15:18:22 tty1 |
Unlock a specified user
123 |
[Root @ node100 pam. d] # pam_tally2-r-u rootLogin Failures Latest failure Fromroot 7 07/16/12 15:18:22 tty1 |
During this remote ssh process, no prompt is displayed. I use Xshell. I don't know if there is any prompt from other terminals. as long as the set value is exceeded, I cannot log on if I enter the correct password!