How to configure pam_tally2 to lock user account after certain number of failed login attempts
环境
- Red Hat Enterprise Linux 5 (RHEL5)
- Red Hat Enterprise Linux 6 (RHEL6)
- Red Hat Enterprise Linux 7 (RHEL7)
- pam_tally2
问题
- How to configure
pam_tally2to lock user account after certain number of failed login attempts - From which release of RHEL5.x has pam-tally2 module been being provided from pam package?
决议
To configure pam_tally2 to lock a user account after certain number of failed login attempts, refer the steps below :
1. Add the following line in auth and account section of /etc/pam.d/system-auth and /etc/pam.d/password-auth files.
Raw
auth required pam_tally2.so deny=3 onerr=fail unlock_time=500
account required pam_tally2.so
- Note: There is only
/etc/pam.d/system-authfile In RHEL 5.
2. The sample system-auth file will looks as follows :
Raw
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally2.so deny=3 onerr=fail unlock_time=300
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_tally2.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
The order of the pam rules is important. auth required pam_tally2.so should be above of auth sufficient pam_unix.so.
On RHEL6, pam_tally2 entries need to be present in both system-auth and password-auth files.
On RHEL7, pam_tally2 entries need to be present in both system-auth and password-auth files.
Note: All the files in /etc/pam.d must be mode 644
3. The pam_tally2 is not compatible with the old pam_tally faillog file format. By default, the file that keeps the failed login counter is /var/log/tallylog.
Make sure tallylog permission is 600.
Raw
# chmod 600 /var/log/tallylog ; chown root:root /var/log/tallylog
else It will log error message like below in /var/log/secure.
Raw
var/log/secure:Nov 20 18:43:17 localhost login: pam_tally2(login:auth): /var/log/tallylog is either world writable or not a normal file
var/log/secure:Nov 20 18:43:23 localhost login: pam_tally2(login:auth): /var/log/tallylog is either world writable or not a normal file
To check the list of users hitting maximum attempts command is "pam_tally2".
Raw
# pam_tally2
# pam_tally2 -u testuser
To reset the number of fail login counter by the following command.
Raw
# pam_tally2 -r -u testuser
*If you want to lock root user, please add "even_deny_root" to the pam_tally2.so line in the auth section of the /etc/pam.d/system-auth file (and also the password-auth file if needed).
Raw
auth required pam_tally2.so deny=3 onerr=fail unlock_time=60 even_deny_root
account required pam_tally2.so
*If you want to lock only root user, add the following line in the auth section of the /etc/pam.d/system-auth file (and also the password-auth file if needed).
Raw
auth [success=1 default=ignore] pam_succeed_if.so gid ne 0
auth required pam_tally2.so deny=3 onerr=fail unlock_time=60 even_deny_root
Note: no_magic_root option is not required to be configured in pam_tally2 in RHEL 6 since normally, failed attempts to access root will not cause the root account to become blocked.
For more detail of pam_tally2:
/usr/share/doc/pam-{Version}/txts/README.pam_tally2
Note:
pam-tally2 module has been being provided since RHEL5 GA release (5.0) as shown below:
Raw
# uname -r
2.6.18-8.el5
# rpm -q pam
pam-0.99.6.2-3.14.el5
pam-0.99.6.2-3.14.el5
# rpm -ql pam | grep tally2.so
/lib/security/pam_tally2.so
/lib64/security/pam_tally2.so
转载至https://access.redhat.com/solutions/37687