登入失敗後鎖定帳號

RedHat 8 
 NOTE: 
 
 RH8 新增一個 faillock 設定檔在 /etc/security/faillock.conf。 如果在 system-auth 內有指定參數，會忽略 faillock.conf 相同參數的設定。 
 unlock_time - 帳號鎖定後，經過多久時間會自動解鎖。 
 deny - 密碼錯誤次數。 
 
 新增目錄 faillock (optional) 
 
 TIP: 如果不指定目錄，預設目錄是 /var/run/faillock。 
 
 mkdir /var/log/faillock 
 Edit /etc/pam.d/system-auth , /etc/pam.d/password-auth 
 # for auth # faillock, add the below line BEFORE pam_unix.so auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 fail_interval=900 unlock_time=600 auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=600 # auth sufficient pam_unix.so try_first_pass nullok # faillock, add the below line AFTER pam_unix.so auth [default=die] pam_faillock.so authfail deny=3 fail_interval=900 unlock_time=600 # # for account # faillock, add the below line BEFORE pam_unix.so account required pam_faillock.so # account required pam_unix.so 
   
 RedHat 6 
 Edit /etc/pam.d/system-auth , /etc/pam.d/password-auth 
 # for auth # add the below line BEFORE pam_unix.so auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600 # insert this auth sufficient pam_unix.so nullok try_first_pass # add the below line AFTER pam_unix.so auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 # insert this # for account # add the below line BEFORE pam_unix.so account required pam_faillock.so # insert this account required pam_unix.so 
 預設不會套用在 root；如果需要限制 root，下面這一行加上 even_deny_root ： 
 auth required pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=1200 root_unlock_time=600 
 如果要排除特定 user，在第一個 pam_faillock.so 之前加上這行: 
 auth [success=1 default=ignore] pam_succeed_if.so user in user1:user2:user3 
 如何手動解鎖與檢查被鎖定的帳戶 
 # display the authentication failure for all users faillock # display the authentication failure for the specified user faillock --user mytest # unlock the user faillock --user mytest --reset 
 
 Tip: 
 要確認設定是否有作用，可以監看 log 檔 /var/log/secure，登入錯誤次數達到設定值時，應該要出現下面的訊息。 
 Mar 8 15:26:08 centos7 sshd[26995]: pam_faillock(sshd:auth): Consecutive login failures for user i04181 account temporarily locked 
 
 VSFTPD 
 如果 vsftpd 使用系統帳號做認證時，也適用帳號鎖定的規則。 
 參考教學 
 
 [RH] What is pam_faillock and how to use it in Red Hat Enterprise Linux? 
 [RH] Lock account after 3 failed attempts. 
 Linux 封鎖、解鎖登入失敗次數過多的帳號 pam_faillock 教學與範例