实现原理
通过 PAM 模块的"pam_faillock" 实现; 作用是防止SSH被爆破登录,当密码输入错误次数超过阈值时,账户会被锁定,在锁定期间,即使输入正确的密码也会被拒绝登录
注意,该方式不仅作用于SSH,还会作用于控制台登录
操作步骤
1.编辑 /etc/pam.d/password-auth 和 /etc/pam.d/system-auth 文件,在2个文件中分别添加相同的3行; 注意行数一定要和我一致
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600
auth required pam_faildelay.so delay=2000000
auth sufficient pam_unix.so nullok try_first_pass
auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
account required pam_faillock.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
选项注释
audit | 表示将在 /var/log/secure 日志文件中启用日志审核 |
deny=3 | 表示登录失败3次后,锁定用户 |
unlock_time=600 | 解锁时间为600秒,如果想要永久锁定,则写 unlock_time=never |
默认情况下,锁定机制对 root 用户不生效 |
2.重启 sshd 服务
[root@localhost ~]# systemctl restart sshd
尝试使用普通用户登录错误3次,然后查看日志,可以看到被锁定了; 锁定后10分钟内无法登录系统
[root@localhost ~]# grep -i lock /var/log/secure
May 14 00:20:02 localhost sshd[2724]: pam_faillock(sshd:auth): Consecutive login failures for user chenjian account temporarily locked
[root@localhost ~]#
使用 faillock 命令也可以查看被锁定的用户文章来源:https://www.toymoban.com/news/detail-608993.html
[root@localhost ~]# faillock
chenjian:
When Type Source Valid
2022-05-14 00:19:57 RHOST 192.168.157.1 V
2022-05-14 00:19:59 RHOST 192.168.157.1 V
2022-05-14 00:20:02 RHOST 192.168.157.1 V
[root@localhost ~]#
解锁用户文章来源地址https://www.toymoban.com/news/detail-608993.html
[root@localhost ~]# faillock --user chenjian --reset
[root@localhost ~]# faillock
chenjian:
When Type Source Valid
到了这里,关于【技术分享】SSH 爆破锁定的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!