# 登入失敗後鎖定帳號

#### RedHat 8

NOTE:

- RH8 新增一個 faillock 設定檔在 /etc/security/faillock.conf。  
    如果在 system-auth 內有指定參數，會忽略 faillock.conf 相同參數的設定。
- unlock\_time - 帳號鎖定後，經過多久時間會自動解鎖。
- deny - 密碼錯誤次數。

新增目錄 faillock (optional)

> TIP: 如果不指定目錄，預設目錄是 /var/run/faillock。

```
mkdir /var/log/faillock
```

Edit /etc/pam.d/system-auth , /etc/pam.d/password-auth

```
# for auth<br></br># faillock, add the below line BEFORE pam_unix.so<br></br>auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 fail_interval=900 unlock_time=600<br></br>auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=600<br></br>#<br></br><br></br>auth        sufficient    pam_unix.so try_first_pass nullok<br></br><br></br># faillock, add the below line AFTER pam_unix.so<br></br>auth        [default=die] pam_faillock.so authfail deny=3 fail_interval=900 unlock_time=600<br></br>#<br></br><br></br># for account<br></br># faillock, add the below line BEFORE pam_unix.so<br></br>account required pam_faillock.so<br></br>#<br></br><br></br>account     required      pam_unix.so<br></br>
```

#### RedHat 6

Edit /etc/pam.d/system-auth , /etc/pam.d/password-auth

```
# for auth<br></br># add the below line BEFORE pam_unix.so<br></br>auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600  # insert this<br></br><br></br>auth        sufficient    pam_unix.so nullok try_first_pass<br></br><br></br># add the below line AFTER pam_unix.so<br></br>auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600  # insert this<br></br><br></br># for account<br></br># add the below line BEFORE pam_unix.so<br></br>account required pam_faillock.so  # insert this<br></br><br></br>account     required      pam_unix.so
```

預設不會套用在 root；如果需要限制 root，下面這一行加上 `even_deny_root` ：

```
auth    required    pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=1200 root_unlock_time=600
```

如果要排除特定 user，在第一個 `pam_faillock.so` 之前加上這行:

```
auth [success=1 default=ignore] pam_succeed_if.so user in user1:user2:user3
```

如何手動解鎖與檢查被鎖定的帳戶

```
# display the authentication failure for all users <br></br>faillock<br></br><br></br># display the authentication failure for the specified user<br></br>faillock --user mytest<br></br><br></br># unlock the user<br></br>faillock --user mytest --reset
```

> Tip:
> 
> 要確認設定是否有作用，可以監看 log 檔 /var/log/secure，登入錯誤次數達到設定值時，應該要出現下面的訊息。
> 
> Mar 8 15:26:08 centos7 sshd\[26995\]: pam\_faillock(sshd:auth): Consecutive login failures for user i04181 account temporarily locked

#### VSFTPD

如果 vsftpd 使用系統帳號做認證時，也適用帳號鎖定的規則。

#### 參考教學

- \[RH\] [What is pam\_faillock and how to use it in Red Hat Enterprise Linux?](https://access.redhat.com/solutions/62949)
- \[RH\] [Lock account after 3 failed attempts.](https://access.redhat.com/discussions/1404353)
- [Linux 封鎖、解鎖登入失敗次數過多的帳號 pam\_faillock 教學與範例](https://officeguide.cc/linux-pam-tally2-lock-user-accounts-after-failed-login-attempts-tutorial-examples/)