1. Check if there is a pam_tally2 module
Command: whereis pam_tally2
2. Modify the configuration file
1. Server terminal (tty login):
vim /etc/pam.d/system-auth or vim /etc/pam.d/login都一样,因为login使用了
system-auth.
File increase:
- auth requisite pam_tally2.so onerr=fail deny=3 unlock_time=600 even_deny_root root_unlock_time=600 (after adding to password-auth, as shown below)
- account required pam_tally2.so (after adding to postlogin, as shown below)
If it is a cloud server, you don’t need to configure this
2. SSH remote login:
vim /etc/pam.d/sshd
File increase:
- auth requisite pam_tally2.so onerr=fail deny=3 unlock_time=600 even_deny_root root_unlock_time=600 (after adding to password-auth, as shown below)
- account required pam_tally2.so (after adding to postlogin, as shown below)
If there is no /etc/pam.d/sshd file, just create a new one, just copy the following content:
#%PAM-1.0
auth substack password-auth
#必须放在password-auth后面,需要先验证密码再执行过滤,否则ssh还没输密码,错误计数器就会+1
auth requisite pam_tally2.so onerr=fail deny=3 unlock_time=60 even_deny_root root_unlock_time=60
auth include postlogin
#必须增加下面这一行,否则计数器不会在登录成功后清零
account required pam_tally2.so
account required pam_sepermit.so
account required pam_nologin.so
account include password-auth
password include password-auth
## pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
## pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session optional pam_motd.so
session include password-auth
session include postlogin
The code added above means that the login of the common account and root account fails for 3 consecutive times, and it will be locked for 10 minutes.
If you don't want to restrict the root account, you can remove the two parameters of even_deny_root root_unlock_time. root_unlock_time represents the lock time of the root account, onerr=fail represents continuous failure, deny=3, which means that it is locked after more than 3 login failures.
During the user's lockout period, whether the correct or incorrect password is entered, it will be regarded as an incorrect password, and the last login is the lock start time. If the user enters the password for the first time after unlocking, the password is still incorrect. locking.
3. Check if pam authentication is enabled in the vim /etc/ssh/sshd_config file, important! ! !
3. Restart the ssh service
Command: service sshd restart
4. Use the pam_tally2 command to check the login status
Command: pam_tally2 --user=jsw_audit #View the login failure of jsw_audit user
Command: pam_tally2 --user=jsw_audit --reset #Reset the number of failed logins of the jsw_audit user to 0, otherwise the login will be prohibited after the number of times configured above is exceeded