知乎專欄 | 多維度架構 | 微信號 netkiller-ebook | QQ群:128659835 請註明“讀者” |
配置檔案
ls /etc/pam.d/ chfn crond login passwd remote runuser-l smtp ssh-keycat sudo-i system-auth-ac chsh fingerprint-auth newrole password-auth run_init smartcard-auth smtp.postfix su su-l config-util fingerprint-auth-ac other password-auth-ac runuser smartcard-auth-ac sshd sudo system-auth
認證插件
ls /lib64/security/
此模組的功能是,登陸錯誤輸入密碼3次,5分鐘後自動解禁,在未解禁期間輸入正確密碼也無法登陸。
在配置檔案 /etc/pam.d/sshd 頂端加入
auth required pam_tally2.so deny=3 onerr=fail unlock_time=300
查看失敗次數
# pam_tally2 Login Failures Latest failure From root 14 07/12/13 15:44:37 192.168.6.2 neo 8 07/12/13 15:45:36 192.168.6.2
重置計數器
# pam_tally2 -r -u root Login Failures Latest failure From root 14 07/12/13 15:44:37 192.168.6.2 # pam_tally2 -r -u neo Login Failures Latest failure From neo 8 07/12/13 15:45:36 192.168.6.2
pam_tally2 計數器日誌保存在 /var/log/tallylog 注意,這是二進制格式的檔案
例 140.1. /etc/pam.d/sshd - pam_tally2.so
# cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_tally2.so deny=3 onerr=fail unlock_time=300 auth required pam_sepermit.so auth include password-auth account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth
以上配置root用戶不受限制, 如果需要限制root用戶,參考下面
auth required pam_tally2.so deny=3 unlock_time=5 even_deny_root root_unlock_time=1800
將下面一行添加到 /etc/pam.d/sshd 中,這裡採用白名單方式,你也可以採用黑名單方式
auth required pam_listfile.so item=user sense=allow file=/etc/ssh/whitelist onerr=fail
將允許登陸的用戶添加到 /etc/ssh/whitelist,除此之外的用戶將不能通過ssh登陸到你的系統
# cat /etc/ssh/whitelist neo www
例 140.2. /etc/pam.d/sshd - pam_listfile.so
# cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_listfile.so item=user sense=allow file=/etc/ssh/whitelist onerr=fail auth required pam_tally2.so deny=3 onerr=fail unlock_time=300 auth required pam_sepermit.so auth include password-auth account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth
sense=allow 白名單方式, sense=deny 黑名單方式
auth required pam_listfile.so item=user sense=deny file=/etc/ssh/blacklist onerr=fail
更多細節請查看手冊 $ man pam_listfile
編輯 /etc/pam.d/sshd 檔案,加入下面一行
account required pam_access.so
保存後重啟sshd進程
編輯 /etc/security/access.conf 檔案
cat >> /etc/security/access.conf << EOF - : root : ALL EXCEPT 192.168.6.1 EOF
只能通過 192.168.6.1 登陸, 添加多個IP地址
- : root : ALL EXCEPT 192.168.6.1 192.168.6.2
測試是否生效
限制普通用戶通過su命令提升權限至root. 只有屬於wheel組的用戶允許通過su切換到root用戶
編輯 /etc/pam.d/su 檔案,去掉下面的註釋
auth required pam_wheel.so use_uid
修改用戶組別,添加到wheel組
# usermod -G wheel www # id www uid=501(www) gid=501(www) groups=501(www),10(wheel)
沒有加入到wheel組的用戶使用su時會提示密碼不正確。
$ su - root Password: su: incorrect password