55.2.1. pam_tally2.so
此模块的功能是,登陆错误输入密码3次,5分钟后自动解禁,在未解禁期间输入正确密码也无法登陆。
在配置文件 /etc/pam.d/sshd 顶端加入
auth required pam_tally2.so deny=3 onerr=fail unlock_time=300
查看失败次数
# pam_tally2
Login Failures Latest failure From
root 14 07/12/13 15:44:37 192.168.6.2
neo 8 07/12/13 15:45:36 192.168.6.2
重置计数器
# pam_tally2 -r -u root
Login Failures Latest failure From
root 14 07/12/13 15:44:37 192.168.6.2
# pam_tally2 -r -u neo
Login Failures Latest failure From
neo 8 07/12/13 15:45:36 192.168.6.2
pam_tally2 计数器日志保存在 /var/log/tallylog 注意,这是二进制格式的文件
例 55.1. /etc/pam.d/sshd - pam_tally2.so
# cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_tally2.so deny=3 onerr=fail unlock_time=300
auth requiredpam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
以上配置root用户不受限制, 如果需要限制root用户,参考下面
auth required pam_tally2.so deny=3 unlock_time=5 even_deny_root root_unlock_time=1800