|
一、Linux系统用户3次登录失败后锁定3分钟 二、操作文件 /etc/pam.d/system-auth /etc/pam.d/password-auth 三、配置
在common-auth添加 auth required pam_faillock.so preauth audit silent deny=3 unlock_time=300 auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=300 auth sufficient pam_faillock.so authsucc audit deny=3 unlock_time=300 在common-account添加 account required pam_faillock.so 编辑之后: root@hobot:/etc/pam.d# cat common-auth # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) auth required pam_faillock.so preauth audit silent deny=3 unlock_time=300 auth [success=1 default=ignore] pam_unix.so nullok # here's the fallback if no module succeeds auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=300 auth sufficient pam_faillock.so authsucc audit deny=3 unlock_time=300 auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config root@hobot:/etc/pam.d# cat common-account # # /etc/pam.d/common-account - authorization settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authorization modules that define # the central access policy for use on the system. The default is to # only deny service to users whose accounts are expired in /etc/shadow. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # # here are the per-package modules (the "Primary" block) account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so # here's the fallback if no module succeeds account requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around account required pam_permit.so # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config account required pam_faillock.so 注意:
如果想锁住root用户,在pam_faillock条目里添加 even_deny_root 选项。 四、辅助命令
[root@mysql-master pam.d]# faillock
[root@mysql-master pam.d]# faillock --user admin
[root@mysql-master pam.d]# faillock --user lt --reset
[root@mysql-master pam.d]# faillock --reset faillock还有其它用法: faillock --help 五、验证
主要看faillock命令,显示的valid值,v表示有效,i表示无效。
admin用户输入密码错误5次,锁住1分钟。
admin测试用户连续输入2次错误密码,第3次输入正确,第4,5,6,7次密码输入错误,观察valid的值。会发现第三次登录成功,valid不会清掉重新开始算;当第7次输入错误密码后,用户便锁住了(如果从第3次开始被清空了,是不会锁住的)。
一段时间内,用户输入错误密码5次(不管是不是连续输入),就会锁住。
|
|
|
来自: charlie_linux > 《Linux》
