Yadda ake Lock Accounts Bayan Ƙoƙarin Shiga Ba a Yi Ba
Wannan jagorar zai nuna yadda ake kulle asusun mai amfani da tsarin bayan ƙayyadadden adadin yunƙurin shiga da ya gaza a cikin rarrabawar CentOS, RHEL da Fedora. Anan, abin da aka fi mayar da hankali shine a tilasta tsaro mai sauƙi ta hanyar kulle asusun mai amfani bayan adadin tabbataccen rashin nasara a jere.
Ana iya samun wannan ta amfani da tsarin pam_faillock
wanda ke taimakawa ga kulle asusun mai amfani na wucin gadi idan an sami gazawar yunƙurin tabbatarwa da yawa da kuma adana rikodin wannan taron. Ana adana yunƙurin shiga da bai yi nasara ba a cikin fayilolin kowane mai amfani a cikin kundin adireshi wanda shine /var/run/faillock/
ta tsohuwa.
pam_faillock wani bangare ne na Linux PAM (Pluggable Authentication Modules), tsari mai kuzari don aiwatar da ayyukan tantancewa a cikin aikace-aikace da sabis na tsarin daban-daban waɗanda muka ɗan yi bayani a ƙarƙashin daidaitawa PAM don bincika ayyukan harsashi mai amfani.
Yadda Ake Makulle Accounts Bayan Gaggawar Gaggawa A Jere
Kuna iya daidaita ayyukan da ke sama a cikin /etc/pam.d/system-auth da /etc/pam.d/password-auth files, ta ƙara abubuwan da ke ƙasa zuwa sashin auth
.
auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600 auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600
Inda:
audit
- yana ba da damar tantance mai amfani.ƙaryata
- ana amfani da shi don ayyana adadin ƙoƙarin (3 a wannan yanayin), bayan haka yakamata a kulle asusun mai amfani.lokacin buɗewa
- yana saita lokacin (300 seconds = 5 minutes) wanda asusun ya kamata ya kasance a kulle.
Lura cewa tsari na waɗannan layukan yana da matukar mahimmanci, daidaitawa mara kyau na iya haifar da kulle duk asusun mai amfani.
Sashen auth
a cikin fayilolin biyu yakamata a tsara abubuwan da ke ƙasa cikin wannan tsari:
auth required pam_env.so auth required pam_faillock.so preauth silent audit deny=3 unlock_time=300 auth sufficient pam_unix.so nullok try_first_pass auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=300 auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so
Yanzu buɗe waɗannan fayiloli guda biyu tare da zaɓin editan ku.
# vi /etc/pam.d/system-auth # vi /etc/pam.d/password-auth
Tsoffin shigarwar a cikin auth
sashe biyu fayiloli suna kama da wannan.
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet auth required pam_deny.so
Bayan ƙara saitunan da ke sama, ya kamata ya bayyana kamar haka.
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_faillock.so preauth silent audit deny=3 unlock_time=300 auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=300 auth requisite pam_succeed_if.so uid >= 1000 quiet auth required pam_deny.so
Sannan ƙara mahimmin shigarwar mai zuwa zuwa sashin asusun a cikin fayilolin da ke sama.
account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so account required pam_faillock.so
Yadda Ake Kulle Tushen Account Bayan Ƙoƙarin Shiga Ba Ya Fasa
Don kulle tushen asusun bayan gazawar yunƙurin tabbatarwa, ƙara zaɓin even_deny_root
zuwa layukan da ke cikin fayiloli guda biyu a cikin sashin auth
kamar wannan.
auth required pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=300 auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=300
Da zarar kun saita komai. Kuna iya sake kunna sabis na samun nesa kamar sshd, don manufar da ke sama ta yi tasiri wato idan masu amfani za su yi amfani da ssh don haɗawa zuwa uwar garken.
# systemctl restart sshd [On SystemD] # service sshd restart [On SysVInit]
Yadda ake Gwada Ƙoƙarin Shigar Mai Amfani SSH
Daga saitunan da ke sama, mun saita tsarin don kulle asusun mai amfani bayan ƙoƙarin tabbatarwa guda 3.
A cikin wannan yanayin, mai amfani tecmint
yana ƙoƙarin canzawa zuwa mai amfani aaronkilik
, amma bayan shigar da kuskure 3 saboda kuskuren kalmar sirri, wanda aka nuna ta saƙon An hana izini, an kulle asusun aronkilik mai amfani kamar yadda aka nuna ta saƙon gazawar tantancewa daga ƙoƙari na huɗu.
Ana kuma sanar da mai amfani game da gazawar ƙoƙarin shiga tsarin, kamar yadda aka nuna a hoton allo na ƙasa.
Yadda Ake Duba Ƙoƙarin Ƙoƙarin Ƙoƙarin Gaske
Kuna iya ganin duk rajistan ayyukan tantancewa da suka gaza ta amfani da utility lock, wanda ake amfani dashi don nunawa da kuma gyara log ɗin gazawar tantancewa.
Kuna iya duba gazawar yunƙurin shiga don wani mai amfani kamar wannan.
# faillock --user aaronkilik
Don duba duk ƙoƙarin shiga da bai yi nasara ba, gudanar da faillock ba tare da wata gardama kamar haka:
# faillock
Don share rajistan ayyukan gazawar mai amfani, gudanar da wannan umarni.
# faillock --user aaronkilik --reset OR # fail --reset #clears all authentication failure records
A ƙarshe, don gaya wa tsarin kada ya kulle asusun mai amfani ko mai amfani bayan yunƙurin shiga da yawa da bai yi nasara ba, ƙara shigarwar da aka yiwa alama da launin ja, kusa da inda aka fara kiran pam_faillock ƙarƙashin sashin auth a cikin fayilolin biyu (/etc/pam.d/) system-auth da /etc/pam.d/password-auth) kamar haka.
Kawai ƙara cikakkun sunayen masu amfani da ke raba ga mai amfani a ciki.
auth required pam_env.so auth [success=1 default=ignore] pam_succeed_if.so user in tecmint:aaronkilik auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600 auth sufficient pam_unix.so nullok try_first_pass auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so
Don ƙarin bayani, duba pam_faillock da shafukan mutum na gazawa.
# man pam_faillock # man faillock
Hakanan kuna iya son karanta waɗannan labarai masu amfani masu zuwa:
- TMOUT – Auto Logout Linux Shell Lokacin da Babu Ayyuka
- Yanayin Mai Amfani Guda: Sake saitin/Murmurewa Tushen Kalmar wucewar Asusun Mai amfani da aka manta
- 5 Mafi kyawun Ayyuka don Aminta da Kare Sabar SSH
- Yadda ake samun Tushen da Mai amfani SSH Faɗakarwar Imel ta Shiga
Shi ke nan! A cikin wannan labarin, mun nuna yadda ake tilasta tsaro mai sauƙi ta hanyar kulle asusun mai amfani bayan x adadin shigar da ba daidai ba ko yunƙurin tabbatar da gazawar. Yi amfani da fam ɗin sharhin da ke ƙasa don raba tambayoyinku ko tunaninku tare da mu.