Of Stack

linux attempts to lock down a user account after a failed login attempt

  • 2020-06-07 05:57:20
  • OfStack

This article mainly introduces the relevant content of locking user account after linux failed to log in, and shares it for your reference and study. Let's start with a detailed introduction.

pam_tally2 module (Method 1)

Lock the user account after a failed ssh login attempt to the system. This module holds the count of attempted access and too many failed attempts.

configuration

use /etc/pam.d/system-auth or etc/pam.d/password-auth Profile to configure login attempts for access 


auth required pam_tally2.so deny=3 unlock_time=600
account required pam_tally2.so

Note:

auth should be placed in line 2, otherwise the user will be able to log in after more than three times.

Add after auth if root is applicable even_deny_root . 


auth required pam_tally2.so deny=3 even_deny_root unlock_time=600

pam_tally2 command

View user logon failure information 


pam_tally2 -u test
Login  Failures Latest failure From
test  1 06/20/17 14:18:19 192.168.56.1

Unlock the user 


pam_tally2 -u test -r

pam_faillock module (Method 2)

In Red Hat Enterprise Linux 6, pam_faillock PAM The module allows the system administrator to lock user accounts that fail to log in within a specified number of times. Limiting the number of login attempts by users is primarily a security measure intended to prevent possible brute force hacks aimed at obtaining users' account passwords

through pam_faillock Module to store the failed login attempt data in a separate file for each user under the /var/run/faillock directory

configuration

Add the following command line to /etc/pam.d/system-auth Files and /etc/pam.d/password-auth Corresponding section in the file: 


auth  required  pam_faillock.so preauth silent audit deny=3 unlock_time=600
auth  sufficient pam_unix.so nullok try_first_pass
auth  [default=die] pam_faillock.so authfail audit deny=3
account  required  pam_faillock.so

Note:

auth required pam_faillock.so preauth silent audit deny=3 It has to be at the front.

For root in pam_faillock Add to the entry even_deny_root options

faillock command

See the number of failed attempts per user 


$ faillock
test:
When    Type Source           Valid
2017-06-20 14:29:05 RHOST 192.168.56.1           V
2017-06-20 14:29:14 RHOST 192.168.56.1           V
2017-06-20 14:29:17 RHOST 192.168.56.1           V

Unlock 1 user's account 


faillock --user <username> --reset

conclusion

Related articles: