Skip to main content

登入失敗後鎖定帳號

RedHat 8

NOTE:

  • RH8 新增一個 faillock 設定檔在 /etc/security/faillock.conf。


    如果在 system-auth 內有指定參數,會忽略 faillock.conf 相同參數的設定。

  • unlock_time - 帳號鎖定後,經過多久時間會自動解鎖。
  • deny - 密碼錯誤次數。
  • 新增目錄 faillock (optional)

    TIP: 如果不指定目錄,預設目錄是 /var/run/faillock。

    mkdir /var/log/faillock

    Edit /etc/pam.d/system-auth , /etc/pam.d/password-auth

    # for auth
    # faillock, add the below line BEFORE pam_unix.so
    auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 fail_interval=900 unlock_time=600
    auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=600
    #

    auth sufficient pam_unix.so try_first_pass nullok

    # faillock, add the below line AFTER pam_unix.so
    auth [default=die] pam_faillock.so authfail deny=3 fail_interval=900 unlock_time=600
    #

    # for account
    # faillock, add the below line BEFORE pam_unix.so
    account required pam_faillock.so
    #

    account required pam_unix.so


    RedHat 6

    Edit /etc/pam.d/system-auth , /etc/pam.d/password-auth

    # for auth
    # add the below line BEFORE pam_unix.so
    auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600 # insert this

    auth sufficient pam_unix.so nullok try_first_pass

    # add the below line AFTER pam_unix.so
    auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 # insert this

    # for account
    # add the below line BEFORE pam_unix.so
    account required pam_faillock.so # insert this

    account required pam_unix.so

    預設不會套用在 root;如果需要限制 root,下面這一行加上 even_deny_root

    auth    required    pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=1200 root_unlock_time=600

    如果要排除特定 user,在第一個 pam_faillock.so 之前加上這行:

    auth [success=1 default=ignore] pam_succeed_if.so user in user1:user2:user3

    如何手動解鎖與檢查被鎖定的帳戶

    # display the authentication failure for all users 
    faillock

    # display the authentication failure for the specified user
    faillock --user mytest

    # unlock the user
    faillock --user mytest --reset

    Tip:

    要確認設定是否有作用,可以監看 log 檔 /var/log/secure,登入錯誤次數達到設定值時,應該要出現下面的訊息。

    Mar 8 15:26:08 centos7 sshd[26995]: pam_faillock(sshd:auth): Consecutive login failures for user i04181 account temporarily locked

    參考教學