ubuntu 22.04 pam 模块设置用户登录失败锁定

1、ubuntu 22.04 配置方法

/etc/pam.d/common-auth 加到如下行后

# auth    [success=1 default=ignore]      pam_unix.so nullok
# 添加如下内容
auth     [default=die]      pam_faillock.so authfail
auth     sufficient         pam_faillock.so authsucc

/etc/pam.d/common-account 加到最后一行

account required            pam_faillock.so

修改 /etc/security/faillock.conf

sed -i 's/# audit/audit/g' /etc/security/faillock.conf
sed -i 's/# deny = 3/deny = 3/g' /etc/security/faillock.conf
sed -i 's/# fail_interval = 900/fail_interval = 900/g' /etc/security/faillock.conf
sed -i 's/# unlock_time = 600/unlock_time = 0/g' /etc/security/faillock.conf
sed -i 's/# even_deny_root/even_deny_root/g' /etc/security/faillock.conf
sed -i 's/# root_unlock_time = 900/root_unlock_time = 0/g' /etc/security/faillock.conf

一键设置脚本
⚠️警告：不要在 ubuntu20.04 系统上执行如下脚本，否则所有登录方式都会被锁定，导致进不了系统。

cp /etc/pam.d/common-auth /etc/pam.d/common-auth.bak
cp /etc/pam.d/common-account /etc/pam.d/common-account.bak
cp /etc/security/faillock.conf /etc/security/faillock.conf.bak
sed -i '/^auth[[:space:]]\+\[success=1 default=ignore\][[:space:]]\+pam_unix\.so[[:space:]]\+nullok$/a\
auth     [default=die]      pam_faillock.so authfail\n\
auth     sufficient         pam_faillock.so authsucc' /etc/pam.d/common-auth
echo 'account required            pam_faillock.so' >> /etc/pam.d/common-account
sed -i 's/# audit/audit/g' /etc/security/faillock.conf
sed -i 's/# deny = 3/deny = 3/g' /etc/security/faillock.conf
sed -i 's/# fail_interval = 900/fail_interval = 900/g' /etc/security/faillock.conf
sed -i 's/# unlock_time = 600/unlock_time = 0/g' /etc/security/faillock.conf
sed -i 's/# even_deny_root/even_deny_root/g' /etc/security/faillock.conf
sed -i 's/# root_unlock_time = 900/root_unlock_time = 0/g' /etc/security/faillock.conf

查看被锁定的用户

faillock --user testuser
testuser:
When                Type  Source                                           Valid
2025-07-14 13:27:26 RHOST 192.168.5.103                                        V

解锁被锁定的用户

faillock --user testuser --reset

2、Ubuntu 20.04 设置

sudo apt update
sudo apt install libpam-cracklib
sudo nano /etc/pam.d/common-auth
auth required pam_tally2.so deny=3 unlock_time=300 onerr=fail audit silent
sudo systemctl restart sshd

查看特定用户的登录尝试次数

sudo pam_tally2 --user <username>

解锁特定用户

sudo pam_tally2 -u <username> -r

本文来自互联网用户投稿，该文观点仅代表作者本人，不代表本站立场。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。
如若转载，请注明出处：http://www.pswp.cn/bicheng/89533.shtml
繁体地址，请注明出处：http://hk.pswp.cn/bicheng/89533.shtml

如若内容造成侵权/违法违规/事实不符，请联系多彩编程网进行投诉反馈email:809451989@qq.com，一经查实，立即删除！