最後更新: 2022-11-17

介紹

The login counter (tallying) module

This module maintains a count of attempted accesses, can reset count on success, can deny access if too many attempts fail.

目錄

• ESXi Account Lockout
• Linux Configure pam_tally2

ESXi Account Lockout

Behavior

Account locking is supported for access through SSH and through the vSphere Web Services SDK.
The Direct Console Interface (DCUI) and the ESXi Shell do not support account lockout.
By default, a maximum of five failed attempts is allowed before the account is locked.
The account is unlocked after 15 minutes by default.

Procedure to unlock the ESXi host account at the console

1. At the console press CTRL+ALT+F2 to get to the ESXi shell.
2. Login to the DCUI (to enable the ESXi Shell if not already done)
3. Login with root and the correct password.
4. Go to Troubleshooting Options
5. Select Enable ESXi Shell
6. Press CTRL+ALT+F1
7. At the ESXi shell login with root and the password

show number of failed attempts:

pam_tally2                            # show Failures > 0 的人

Login           Failures Latest failure     From
root                1    11/17/22 13:25:01  R.R.R.R

pam_tally2 --user root           # 作用係查看 Lastest failure 的 time 及 IP

Login           Failures Latest failure     From
root                0    11/17/22 13:25:01  R.R.R.R

grep failure /var/log/auth.log

unlock account

# -r = reset

pam_tally2 --user root -r

Linux Configure pam_tally2

Package

rpm -qf /var/log/tallylog

pam-1.1.8-23.el7.x86_64

pam_tally2 的組件

• pam_tally2.so           # PAM module
• pam_tally2               # CLI

設定

需要修改兩個 file

1. /etc/pam.d/system-auth
2. /etc/pam.d/password-auth

# add the below line at the starting of auth section in both the files
auth        required      pam_tally2.so deny=3 unlock_time=1800 even_deny_root magic_root lock_time=5
...
# add the below line in the account Section in both the files
account     required      pam_tally2.so
...

• file=/path/to/counter
  Default log file which keep login counts(/var/log/tallylog)
• deny=3
  Deny access after 3 attempts and lock down user.
• unlock_time=1800
  Account will be locked till 30 minutes
• even_deny_root
  Policy is also apply to root user.
• magic_root
  If the module is invoked by a user with uid=0 the counter is not incremented.
  for user launched services, like "su"
• lock_time=5
  Always deny for 5 seconds after failed attempt.

在 sshd 使用 pam_tally2

/etc/pam.d/sshd

auth       substack     password-auth
...
account    include      password-auth

ssh 的 MaxAuthTries

MaxAuthTries N

Specifies the maximum number of authentication attempts permitted per connection.

當 "MaxAuthTries 1" 時

... sshtunnel sshd[22130]: Failed publickey for tim from R.R.R.R port MYPORT ssh2: RSA SHA256:ID
... sshtunnel sshd[22130]: error: maximum authentication attempts exceeded for tim from R.R.R.R port MYPORT ssh2 [preauth]
... sshtunnel sshd[22130]: Disconnecting: Too many authentication failures [preauth]

 * Default 會自動用 ssh key auth 嘗試先, 如果要支援 password login, 那 MaxAuthTries 最小要 2
 * ssh key auth 只有在 "MaxAuthTries 1" 時才會 log