linux attempts to lock down a user account after a failed login attempt
- 2020-06-07 05:57:20
- OfStack
This article mainly introduces the relevant content of locking user account after linux failed to log in, and shares it for your reference and study. Let's start with a detailed introduction.
pam_tally2 module (Method 1)
Lock the user account after a failed ssh login attempt to the system. This module holds the count of attempted access and too many failed attempts.
configuration
use
/etc/pam.d/system-auth
or
etc/pam.d/password-auth
Profile to configure login attempts for access
auth required pam_tally2.so deny=3 unlock_time=600
account required pam_tally2.so
Note:
auth should be placed in line 2, otherwise the user will be able to log in after more than three times.
Add after auth if root is applicable
even_deny_root
.
auth required pam_tally2.so deny=3 even_deny_root unlock_time=600
pam_tally2 command
View user logon failure information
pam_tally2 -u test
Login Failures Latest failure From
test 1 06/20/17 14:18:19 192.168.56.1
Unlock the user
pam_tally2 -u test -r
pam_faillock module (Method 2)
In Red Hat Enterprise Linux 6,
pam_faillock PAM
The module allows the system administrator to lock user accounts that fail to log in within a specified number of times. Limiting the number of login attempts by users is primarily a security measure intended to prevent possible brute force hacks aimed at obtaining users' account passwords
through
pam_faillock
Module to store the failed login attempt data in a separate file for each user under the /var/run/faillock directory
configuration
Add the following command line to
/etc/pam.d/system-auth
Files and
/etc/pam.d/password-auth
Corresponding section in the file:
auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600
auth sufficient pam_unix.so nullok try_first_pass
auth [default=die] pam_faillock.so authfail audit deny=3
account required pam_faillock.so
Note:
auth required pam_faillock.so preauth silent audit deny=3
It has to be at the front.
For root in
pam_faillock
Add to the entry
even_deny_root
options
faillock command
See the number of failed attempts per user
$ faillock
test:
When Type Source Valid
2017-06-20 14:29:05 RHOST 192.168.56.1 V
2017-06-20 14:29:14 RHOST 192.168.56.1 V
2017-06-20 14:29:17 RHOST 192.168.56.1 V
Unlock 1 user's account
faillock --user <username> --reset
conclusion