User Logon Restrictions, locks, and kicks out; User Logon Restrictions and locks

User Logon Restrictions, locks, and kicks out; User Logon Restrictions and locks

This article uses SSH as an example to configure PAM to implement the corresponding authentication function. Other login methods are similar in configuration. For details, refer to the article PAM-pluggable authentication module.

 

1. Restrict User Logon (SSH)

(1) Use pam_access to customize restrictions

// Added the pam_access module authentication [root @ iZwz9catu2mrq92b07d1d0Z ~] # Vi/etc/pam. d/sshd # % PAM-1.0account requisite pam_access.so nodefgroup accessfile =/etc/mypam/access_ssh.conf fieldsep = | listsep = ,... // edit accessfile (note: the matching sequence starts from the first line) [root @ iZwz9catu2mrq92b07d1d0Z ~] # Vi/etc/mypam/access_ssh.conf # allow root and mygroup1 members to log on + | root (mygroup1) | ALL # Deny logon to users other than root and members in the group mygroup1-| ALL users t root (mygroup1) | ALL # refuse to log on from a non-specified ip address to a specified user-| C6. | ALL privileges t 120.231.146.242

(2) Use pam_nologin to restrict non-root User Logon

[Root @ iZwz9catu2mrq92b07d1d0Z ~] # Vi/etc/pam. d/sshd # % PAM-1.0... account required pam_nologin.so... [root @ iZwz9catu2mrq92b07d1d0Z ~] # Touch/etc/nologin // set the prompt message indicating non-root User Logon failure [root @ iZwz9catu2mrq92b07d1d0Z ~] # Vi/etc/nologin ========================= The system is upgrading ============ ======= Please wait a minute

 

2. Lock users that fail to log on multiple times (SSH)

// Added the pam_tally2 module authentication to lock users who failed to access the service three times. The normal user is locked for 30 seconds and the root user is locked for 60 seconds. [root @ iZwz9catu2mrq92b07d1d0Z ~] # Vi/etc/pam. d/sshd # % PAM-1.0... auth required pam_tally2.so deny = 3 unlock_time = 30 even_deny_root root_unlock_time = 60... // view error access records of all or specified users [root @ iZwz9catu2mrq92b07d1d0Z ~] # Pam_tally2Login Failures Latest failure fromc12001 11/19/17 19:25:25 120.230.146.242zhangsan 2 11/19/17 19:24:24 120.230.146.242 [root @ iZwz9catu2mrq92b07d1d0Z ~ # Pam_tally2 -- user cjhLogin Failures Latest failure fromc00001 11/19/17 19:25:25 120.230.146.242 // clear all or specified user error access records [root @ iZwz9catu2mrq92b07d1d0Z ~] # Pam_tally2 -- reset [root @ iZwz9catu2mrq92b07d1d0Z ~] # Pam_tally2 -- reset -- user cquota

 

3. Kick out an online user

[Root @ iZwz9catu2mrq92b07d1d0Z ~] # Whoc?tty2 14: 48 root pts/0 (120.230.146.242) zhangsan pts/3 (120.230.146.242) [root @ iZwz9catu2mrq92b07d1d0Z ~] # Ps-ef | grep tty2c00008917 1806 0 00:00:00 tty2-bash // kill user cquota [root @ iZwz9catu2mrq92b07d1d0Z ~] # Kill-9 8917 [root @ iZwz9catu2mrq92b07d1d0Z ~] # Whoroot pts/0 (120.230.146.242) zhangsan pts/3 (120.230.146.242)