linux尝试登录失败后锁定用户账户的两种方法
<p>本文主要给大家介绍了关于linux尝试登录失败后锁定用户账户的相关内容,分享出来供大家参考学习,下面来一起看看详细的介绍吧。</p>
<p>
<span><strong>pam_tally2模块(方法一)</strong></span></p>
<p>
用于对系统进行失败的ssh登录尝试后锁定用户帐户。此模块保留已尝试访问的计数和过多的失败尝试。</p>
<p>
配置</p>
<p>
使用<code>/etc/pam.d/system-auth</code>或<code>etc/pam.d/password-auth</code>配置文件来配置的登录尝试的访问</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_625424">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain">auth required pam_tally2.so deny=3 unlock_time=600</code>
</div>
<div class="line number2 index1 alt1">
<code class="bash plain">account required pam_tally2.so</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<span><strong>注意:</strong></span></p>
<p>
auth要放到第二行,不然会导致用户超过3次后也可登录。</p>
<p>
如果对root也适用在auth后添加<code>even_deny_root</code>.</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_506616">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain">auth required pam_tally2.so deny=3 even_deny_root unlock_time=600</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<strong>pam_tally2命令</strong></p>
<p>
查看用户登录失败的信息</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_668332">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain">pam_tally2 -u </code><code class="bash functions">test</code>
</div>
<div class="line number2 index1 alt1">
<code class="bash plain">Login Failures Latest failure From</code>
</div>
<div class="line number3 index2 alt2">
<code class="bash functions">test</code> <code class="bash plain">1 06</code><code class="bash plain">/20/17</code> <code class="bash plain">14:18:19 192.168.56.1</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
解锁用户</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_202189">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain">pam_tally2 -u </code><code class="bash functions">test</code> <code class="bash plain">-r</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<span><strong>pam_faillock 模块(方法二)</strong></span></p>
<p>
在红帽企业版 Linux 6 中,<code> pam_faillock PAM </code>模块允许系统管理员锁定在指定次数内登录尝试失败的用户账户。限制用户登录尝试的次数主要是作为一个安全措施,旨在防止可能针对获取用户的账户密码的暴力破解</p>
<p>
通过 <code>pam_faillock </code>模块,将登录尝试失败的数据储存在 /var/run/faillock 目录下每位用户的独立文件中</p>
<p>
<strong>配置</strong></p>
<p>
添加以下命令行到 <code>/etc/pam.d/system-auth </code>文件和<code>/etc/pam.d/password-auth </code>文件中的对应区段:</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_876800">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain">auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600</code>
</div>
<div class="line number2 index1 alt1">
<code class="bash plain">auth sufficient pam_unix.so nullok try_first_pass</code>
</div>
<div class="line number3 index2 alt2">
<code class="bash plain">auth pam_faillock.so authfail audit deny=3</code>
</div>
<div class="line number4 index3 alt1">
<code class="bash plain">account required pam_faillock.so</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<span><strong>注意:</strong></span></p>
<p>
<code>auth required pam_faillock.so preauth silent audit deny=3</code> 必须在最前面。</p>
<p>
适用于root在<code>pam_faillock</code> 条目里添加 <code>even_deny_root</code> 选项</p>
<p>
<strong>faillock命令</strong></p>
<p>
查看每个用户的尝试失败次数</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_136079">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain">$ faillock</code>
</div>
<div class="line number2 index1 alt1">
<code class="bash functions">test</code><code class="bash plain">:</code>
</div>
<div class="line number3 index2 alt2">
<code class="bash plain">When Type Source Valid</code>
</div>
<div class="line number4 index3 alt1">
<code class="bash plain">2017-06-20 14:29:05 RHOST 192.168.56.1 V</code>
</div>
<div class="line number5 index4 alt2">
<code class="bash plain">2017-06-20 14:29:14 RHOST 192.168.56.1 V</code>
</div>
<div class="line number6 index5 alt1">
<code class="bash plain">2017-06-20 14:29:17 RHOST 192.168.56.1 V</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
解锁一个用户的账户</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_561445">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain">faillock --user <username> --reset</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<span><strong>总结</strong></span></p>
<p>
以上就是这篇文章的全部内容了,希望本文的内容对大家的学习或者工作能带来一定的帮助,如果有疑问大家可以留言交流,谢谢大家对的支持。</p>
<p>
原文链接:https://carey.akhack.com/2017/06/20/linux登录尝试失败后锁定用户账户/</p>
頁:
[1]