配置启用pam_faillock
sudo nano /etc/pam.d/common-auth
在最上面添加以下内容
auth required pam_faillock.so preauth silent audit
auth sufficient pam_unix.so nullok try_first_pass
auth [default=die] pam_faillock.so authfail audit
sudo nano /etc/pam.d/sshd
添加以下内容
auth required pam_faillock.so preauth silent audit
auth [default=die] pam_faillock.so authfail audit
account required pam_faillock.so
sudo nano /etc/security/faillock.conf
# 失败次数
deny = 5
# 统计时间
fail_interval = 900
# 普通用户锁定600秒
unlock_time = 900
# 启用对root用户的失败锁定,锁定180秒
even_deny_root
root_unlock_time = 900
重启ssh
sudo systemctl restart sshd