1、Linux服务器用户登录失败次数限制(使用pam模块实现)
/etc/pam.d/sshd (远程ssh)
/etc/pam.d/login (终端)
1.1、用户通过ssh登录失败次数的限制
第一步)需要使用pam模块来实现此功能,检查是否有pam_tally2.so文件
# find /lib* -name pam_tally2.so
/lib64/security/pam_tally2.so
第二步)修改配置文件:
# vi /etc/pam.d/sshd
#%PAM-1.0
auth required pam_tally2.so deny=3 unlock_time=300 even_deny_root root_unlock_time=300
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
保存
说明:deny=3 设定连续登录失败3次就开始锁定帐号;unlock_time=300 设定锁定时间是300秒,即5分钟后解锁;even_deny_root 表示root用户也在限制范围内;root_unlock_time=300 表示root解锁的时间300秒。
注意:这一行必须写在最上面,否则会被其他策略覆盖。
1.2、 限制本地登录失败次数
# vi /etc/pam.d/login
#%PAM-1.0
auth required pam_tally2.so deny=3 unlock_time=300
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
-session optional pam_ck_connector.so
保存
1.3、查看登录失败的用户及手动解锁命令
查看所有登录失败用户
# pam_tally2 --user
Login Failures Latest failure From
shen 6 10/14/15 14:35:33 192.168.144.131
手动解锁,重置某用户登录失败次数
# pam_tally2 --user shen --reset
Login Failures Latest failure From
shen 6 10/14/15 14:35:33 192.168.144.131
2、Windows服务器用户登录失败限制
本地安全策略——>帐户策略——>帐户锁定策略