로그인시도실패후 lock걸기

How do I lock out a user after a set number of login attempts? by an editor Version: Red Hat® Enterprise Linux® 3 and 4 The PAM (Pluggable Authentication Module) module pam_tally keeps track of unsuccessful login attempts then disables user accounts when a preset limit is reached. This is often referred to as account lockout. To lock out a user after 4 attempts, two entries need to be added in the /etc/pam.d/system-auth file: <hr> auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root account required /lib/security/$ISA/pam_tally.so deny=3 no_magic_root reset <hr> The options used above are described below: onerr=fail If something strange happens, such as unable to open the file, this determines how the module should react. no_magic_root This is used to indicate that if the module is invoked by a user with uid=0, then the counter is incremented. The sys-admin should use this for daemon-launched services, like telnet/rsh/login. deny=3The deny=3 option is used to deny access if tally for this user exceeds 3. reset The reset option instructs the module to reset count to 0 on successful entry. See below for a complete example of implementing this type of policy: auth required /lib/security/$ISA/pam_env.so auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so account required /lib/security/$ISA/pam_tally.so deny=5 no_magic_root reset password requisite /lib/security/$ISA/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/$ISA/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/$ISA/$ISA/pam_deny.so session required /lib/security/$ISA/$ISA/pam_limits.so session required /lib/security/$ISA/$ISA/pam_unix.so For more detailed information on the PAM system please see the documentation contained under /usr/share/doc/pam-&lt;version&gt; For information on how to unlock a user that has expired their deny tally see additional Knowledgebase articles regarding unlocking a user account and seeing failed logins with the faillog command. contributed by David Robinson This entry was posted by an editor on Thursday, January 25th, 2007 at 1:00 am and is filed under tips and tricks. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.