How to lock out a user to login a system after a set number of failed attempts?
문제
- How to lock out a user to login a system after a set number of failed attempts?
환경
- Red Hat Enterprise Linux 4
- Red Hat Enterprise Linux 5
- Red Hat Enterprise Linux 6
해결
Pluggable Authentication Module (PAM) comes with the pam_tally login counter module. pam_tally has the capability to maintain attempted access count, reset counters on successfull logins and also lock out users with multiple failed login attempts.
In the authentication phase of /etc/pam.d/system-auth and /etc/pam.d/password-auth files the pam_tally deny parameter can be used to restrict the number of failed login attempts. The user account will be locked out once the login attempts exceed the deny tally value.
The examples shown below are configured to allow a maximum number of 3 failed login attempts before it locks the user's account.
With Red Hat Enterprise Linux 3, 4 pam_tally, add two entries need to be added in the same file:
auth required /lib/security/$ISA/pam_tally.so onerr=fail
account required /lib/security/$ISA/pam_tally.so deny=3
See below for a complete example of implementing this type of policy:
# cat /etc/pam.d/system-auth
auth required /lib/security/$ISA/pam_env.so
auth required /lib/security/$ISA/pam_tally.so onerr=fail
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account required /lib/security/$ISA/pam_tally.so deny=3 reset
.... snip .....
The options used above are described below:
- onerr=fail : If something strange happens, such as unable to open the file, this determines how the module should react.
- deny=3 : The deny=3 option is used to deny access if tally for this user exceeds 3.
- reset : This option resets failed count to 0 on successful entry
For more information refer to /usr/share/doc/pam-<version>/txts/README.pam_tally
With Red Hat Enterprise Linux 5 pam_tally, add the following lines about pam_tally.so in the default files /etc/pam.d/system-auth and /etc/pam.d/password-auth:
auth required pam_tally.so onerr=fail deny=3
account required pam_tally.so
And the /etc/pam.d/system-auth will be changed as following:
auth required pam_env.so
auth required pam_tally.so onerr=fail deny=3
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account required pam_tally.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
.... snip ....
Note : The reset option is not necessary in the Red Hat Enterprise Linux 5. For more information, refer its manual page running the command "man pam_tally".
With Red Hat Enterprise Linux 6, pam_tally has been renamed to pam_tally2 so these would be the lines to be added to /etc/pam.d/system-auth and /etc/pam.d/password-auth files:
auth required pam_tally2.so onerr=fail deny=3
account required pam_tally2.so
And a /etc/pam.d/system-auth file would look like this:
auth required pam_env.so
auth required pam_tally2.so onerr=fail deny=3
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account required pam_tally2.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
The attempts will be logged in /var/log/faillog file. faillog command reports on the number of failed login attempts for a specific user.
# faillog -u <username>
To manually unlock a locked user account, execute the following command:
# faillog -u <username> -r
For advanced usages:
- To prevent denial-of-service of a particular service account, use the pam_tally module with per_user option. refer to the How to exclude service accounts from getting locked up using pam_tally module?
- To automatically unlock a user after seconds, refer to the How to make pam_tally to automatically unlock a user with unlock_time option?
NOTE
For RHEL 6.1+ please see this article: What is pam_faillock, How can we use it ?
The
faillogcommand has become obsolete since RHEL6.1 (shadow-utils-4.1.4.2-9.el6) and is no longer available.
RHEL 6: how to enable faillog with pam_tally2
'OS > Linux' 카테고리의 다른 글
| [RHEL] /proc/sys/net/ipv4/* Variables (0) | 2014.12.26 |
|---|---|
| [RHEL] TCP Parameter - ip_local_reserved_ports (0) | 2014.12.26 |
| [RHEL] RHEL6 설치시 GUI Login (0) | 2014.08.28 |
| [RHEL] What should go in password-auth vs system-auth in RHEL6? (0) | 2014.08.28 |
| [RHEL] How to configure pam_tally2 to lock user account after certain number of failed login attempts ? (0) | 2014.08.28 |
| [RHEL] When I use the SSH method to transfer a kdump vmcore, the resultant vmcore.flat file is unreadable by crash. What am I doing wrong and how can I fix this? (0) | 2014.08.14 |
| [RHEL] How to troubleshoot kernel crashes, hangs, or reboots with kdump on Red Hat Enterprise Linux (0) | 2014.08.14 |
| [RHEL] 리눅스 부팅 프로세스 연구 (한글) (0) | 2014.06.24 |
| [RHEL] 리눅스 x86 부팅 과정 (0) | 2014.06.24 |
| [RHEL] Linux initial RAM disk (initrd) overview (0) | 2014.06.24 |