Linux_pam.d/faillock_centos7.2没有pam_faillock.so

导言

Removed deprecated pam_tally and pam_tally2 modules, use pam_faillock instead.

• pam_tally2配置

sed -i '1s/^/auth required pam_tally2.so  onerr=fail deny=5 unlock_time=600 even_deny_root root_unlock_time=60/' /etc/pam.d/login
sed -i '1 i auth required pam_tally2.so  onerr=fail deny=5 unlock_time=600 even_deny_root root_unlock_time=60' /etc/pam.d/sshd
1
2

建立存储目录

mkdir /var/log/faillock

faillock相关的信息会以用存储在这个目录下

配置

1. 远程登录文件/etc/pam.d/sshd

auth     requisite                    pam_faillock.so    preauth
auth     [success=1 default=bad]      pam_unix.so        shadow nullok
auth     [default=die]                pam_faillock.so    authfail
auth     sufficient                   pam_faillock.so    authsucc

account    required     pam_unix.so shadow nullok
password   required     pam_unix.so shadow nullok
session    required     pam_unix.so shadow nullok
session    required     pam_loginuid.so
1
2
3
4
5
6
7
8
9

• success=1 表示此行成功后，跳过下面
• default=die 表示之后的不执行了，因为succ成功后，会抹去登录失败的记录信息

2. faillock配置文件/etc/security/faillock.conf

dir = /var/log/faillock
deny = 5
fail_interval = 180
unlock_time = 600

even_deny_root		# root也受限
root_unlock_time = 60
1
2
3
4
5
6
7

测试

faillock --dir /var/log/faillock --user root

faillock --dir /var/log/faillock --user root
root:
When                Type  Source                                           Valid
2021-04-21 09:49:49 RHOST 172.16.254.216                                       V
2021-04-21 09:49:52 RHOST 172.16.254.216                                       V
1
2
3
4
5

• v表示有效，i表示无效

faillock命令

faillock --reset # 解锁所有用户
faillock --user user --reset # 解锁一个用户账户