正文:
步骤一:了解背景
从 Rocky Linux 8 & RHEL 8 开始,系统的身份验证模块从 CentOS Linux 7 & RHEL 7 的 pam_tally2 换成了 pam_faillock
步骤二:让 sshd 使用可插入身份验证模块
2.1 修改 sshd 配置文件
# vim /etc/ssh/sshd_config将以下内容:
......
#UsePAM no
......修改为:
......
UsePAM yes
......2.2 让修改 sshd 配置文件生效
# systemctl restart sshd步骤三:让本地登录和 sshd 登录使用密码认证
3.1 确认 /etc/pam.d/login 配置文件
# cat /etc/pam.d/login | grep system-auth确保包含以下内容:
auth substack system-auth
account include system-auth
password include system-auth
session include system-auth3.2 确认 /etc/pam.d/sshd 配置文件
# cat /etc/pam.d/sshd | grep password-auth确保包含以下内容:
auth substack password-auth
account include password-auth
password include password-auth
session include password-auth步骤四:通过自定义配置文件使用 pam_faillock 模块
4.1 检查是否选择了自定义配置文件
4.1.1 检查是否选择了自定义配置文件
# authselect current | awk 'NR == 1 {print $3}' | grep custom/
custom/password-policy(补充:从这里显示的结果可以看出这里选择的自定义配置文件是 custom/password-policy ,如果没有输出则代表没有选择自定义配置文件)
4.1.2 检查选择的自定义配置文件是否生效
# authselect check
Current configuration is valid.(补充:从这里显示的结果可以看出自定义配置文件是生效的)
4.2 如果自定义配置文件存在
4.2.1 在 /etc/authselect/custom/password-policy/system-auth 配置文件中添加 pam_faillock.so 模块和相关参数 (不建议)
# vim /etc/authselect/custom/password-policy/system-auth将以下内容:
......
auth required pam_faillock.so preauth silent {include if "with-faillock"}
......
auth required pam_faillock.so authfail {include if "with-faillock"}
......修改为:
......
auth required pam_faillock.so preauth silent audit even_deny_root deny=6 unlock_time=180 {include if "with-faillock"}
......
auth required pam_faillock.so authfail audit even_deny_root deny=6 unlock_time=180 {include if "with-faillock"}
......(补充:这里以包括 root 用户每使用密码 SSH 远程登录失败 6 次则被锁定 180 秒为例)
(
注意:不建议执行此步骤,执行后正常的 SFTP 登录会被视为登录失败,不过正常的 SSH 登录不受影响。若要确保正常 SFTP 登录不被视为失败登录,则需要确保部分内容如下:
# cat /etc/authselect/custom/password-policy/system-auth
......
auth required pam_faillock.so preauth silent
......
auth required pam_faillock.so authfail
......
account required pam_faillock.so
......)
4.2.2 在 /etc/authselect/custom/password-policy/system-auth 配置文件中设置登录失败几次后提示登录失败
# vim /etc/authselect/custom/password-policy/system-auth将以下内容:
......
password requisite pam_pwquality.so ......
......修改为:
......
password requisite pam_pwquality.so try_first_pass local_users_only enforce-for-root retry=3 ......
......(补充:这里以登录失败 3 次后提示登录失败为例)
4.2.3 在 /etc/authselect/custom/password-policy/password-auth 配置文件中添加 pam_faillock.so 模块和相关参数 (不建议)
# vim /etc/authselect/custom/password-policy/password-auth将以下内容:
......
auth required pam_faillock.so preauth silent {include if "with-faillock"}
......
auth required pam_faillock.so authfail {include if "with-faillock"}
......
修改为:
......
auth required pam_faillock.so preauth silent audit even_deny_root deny=6 unlock_time=180 {include if "with-faillock"}
......
auth required pam_faillock.so authfail audit even_deny_root deny=6 unlock_time=180 {include if "with-faillock"}
......(补充:这里以包括 root 用户每使用密码 SSH 远程登录失败 6 次则被锁定 180 秒为例)
(
注意:不建议执行此步骤,执行后正常的 SFTP 登录会被视为登录失败,不过正常的 SSH 登录不受影响。若要确保正常 SFTP 登录不被视为失败登录,则需要确保部分内容如下:
# cat /etc/authselect/custom/password-policy/password-auth
......
auth required pam_faillock.so preauth silent
......
auth required pam_faillock.so authfail
......
account required pam_faillock.so
......)
4.2.4 在 /etc/authselect/custom/password-policy/password-auth 配置文件中设置登录失败几次后提示登录失败
# vim /etc/authselect/custom/password-policy/password-auth将以下内容:
......
password requisite pam_pwquality.so ......
......修改为:
......
password requisite pam_pwquality.so try_first_pass local_users_only enforce-for-root retry=3 ......
......(补充:这里以登录失败 3 次后提示登录失败为例)
4.3 如果自定义配置文件不存在
4.3.1 生成新的自定义配置文件
4.3.1.1 备份当前的自定义配置文件
# authselect apply-changes -b --backup=sssd.backup(补充:这里以创建 sssd.backup 备份文件为例)
4.3.1.2 创建新的自定义配置文件
# authselect create-profile password-policy -b sssd --symlink-meta --symlink-pam(补充:这里以生成名为 password-policy 的自定义配置文件为例)
4.3.1.3 选择新的自定义配置文件
4.3.1.3.1 选择新的自定义配置文件
# authselect select custom/password-policy with-sudo with-faillock without-nullok with-mkhomedir --force(
补充:
1) 这里以选择名为 password-policy 的自定义配置文件为例
2) 这里设置了 with-sudo、with-faillock、without-nullok 和 with-mkhomedir 参数
)
(注意:使用了 with-mkhomedir 参数后,会提示需要开启 oddjobd)
4.3.1.3.2 满足选择新的自定义配置文件时 with-mkhomedir 参数的要求
# dnf install oddjob ; systemctl enable --now oddjobd.service4.3.1.4 显示当前选择的自定义配置文件
# authselect current(补充:这里以生成并选择名为 password-policy 的自定义配置文件为例)
4.3.2 修改自定义配置文件
4.3.2.1 在 /etc/authselect/custom/password-policy/system-auth 配置文件中添加 pam_faillock.so 模块和相关参数 (不建议)
# vim /etc/authselect/custom/password-policy/system-auth将以下内容:
......
auth required pam_faillock.so preauth silent {include if "with-faillock"}
......
auth required pam_faillock.so authfail {include if "with-faillock"}
......修改为:
......
auth required pam_faillock.so preauth silent audit even_deny_root deny=6 unlock_time=180 {include if "with-faillock"}
......
auth required pam_faillock.so authfail audit even_deny_root deny=6 unlock_time=180 {include if "with-faillock"}
......(补充:这里以包括 root 用户每使用密码 SSH 远程登录失败 6 次则被锁定 180 秒为例)
(
注意:不建议执行此步骤,执行后正常的 SFTP 登录会被视为登录失败,不过正常的 SSH 登录不受影响。若要确保正常 SFTP 登录不被视为失败登录,则需要确保部分内容如下:
# cat /etc/authselect/custom/password-policy/system-auth
......
auth required pam_faillock.so preauth silent
......
auth required pam_faillock.so authfail
......
account required pam_faillock.so
......)
4.3.2.2 在 /etc/authselect/custom/password-policy/system-auth 配置文件中设置登录失败几次后提示登录失败
# vim /etc/authselect/custom/password-policy/system-auth将以下内容:
......
password requisite pam_pwquality.so ......
......修改为:
......
password requisite pam_pwquality.so try_first_pass local_users_only enforce-for-root retry=3 ......
......(补充:这里以登录失败 3 次后提示登录失败为例)
4.3.2.3 在 /etc/authselect/custom/password-policy/password-auth 配置文件中添加 pam_faillock.so 模块和相关参数 (不建议)
# vim /etc/authselect/custom/password-policy/password-auth将以下内容:
......
auth required pam_faillock.so preauth silent {include if "with-faillock"}
......
auth required pam_faillock.so authfail {include if "with-faillock"}
......修改为:
......
auth required pam_faillock.so preauth silent audit even_deny_root deny=6 unlock_time=180 {include if "with-faillock"}
......
auth required pam_faillock.so authfail audit even_deny_root deny=6 unlock_time=180 {include if "with-faillock"}
......(
补充:
1) 这里以包括 root 用户每使用密码 SSH 远程登录失败 6 次则被锁定 180 秒
2) 登录失败 3 次后提示登录失败
为例
)
(
注意:不建议执行此步骤,执行后正常的 SFTP 登录会被视为登录失败,不过正常的 SSH 登录不受影响。若要确保正常 SFTP 登录不被视为失败登录,则需要确保部分内容如下:
# cat /etc/authselect/custom/password-policy/password-auth
......
auth required pam_faillock.so preauth silent
......
auth required pam_faillock.so authfail
......
account required pam_faillock.so
......)
4.3.2.4 在 /etc/authselect/custom/password-policy/password-auth 配置文件中设置登录失败几次后提示登录失败
# vim /etc/authselect/custom/password-policy/password-auth将以下内容:
......
password requisite pam_pwquality.so ......
......修改为:
......
password requisite pam_pwquality.so try_first_pass local_users_only enforce-for-root retry=3 ......
......(补充:这里以登录失败 3 次后提示登录失败为例)
4.4 让自定义配置文件生效
# authselect apply-changes(
注意:此步骤
1) 会将 /etc/authselect/custom/password-policy/system-auth 配置文件里的内容刷新到 /etc/authselect/system-auth 配置文件
2) 会将/etc/authselect/custom/password-policy/password-auth 配置文件里的内容刷新到 /etc/authselect/password-auth 配置文件
3) 若要确保正常 SFTP 登录不被视为失败登录,则需要确保部分内容如下:
# cat /etc/authselect/system-auth
......
auth required pam_faillock.so preauth silent
......
auth required pam_faillock.so authfail
......
account required pam_faillock.so
......
# cat /etc/authselect/password-auth
......
auth required pam_faillock.so preauth silent
......
auth required pam_faillock.so authfail
......
account required pam_faillock.so
......)
步骤五:修改 /etc/security/faillock.conf 配置文件
# vim /etc/security/faillock.conf将以下内容:
......
# deny =
......
# unlock_time =
......修改为:
......
deny = 6
......
unlock_time = 180
......(补充:这里以包括 root 用户每使用密码 SSH 远程登录失败 6 次则被锁定 180 秒为例)
步骤六:用户登录失败的管理
6.1 显示某个用户近期输错了几次密码
# faillock --user root(补充:这里以显示 root 用户近期输错了几次密码为例)
6.2 重制远程登录密码输错次数
6.2.1 重制某用户远程登录密码输错次数
# faillock --user root --reset(补充:这里以重置 root 用户远程登录密码输错次数为例)
6.2.2 重制所有用户远程登录密码输错次数
# faillock --reset步骤七:管理自定义配置文件
7.1 在自定义配置文件中禁用 pam_faillock.so 模块
# authselect disable-feature with-faillock7.2 在自定义配置文件中启用 pam_faillock.so 模块
# authselect enable-feature with-faillock参考文献:
https://access.redhat.com/solutions/62949