Yadda ake Lock Accounts Bayan Ƙoƙarin Shiga Ba a Yi Ba


Wannan jagorar zai nuna yadda ake kulle asusun mai amfani da tsarin bayan ƙayyadadden adadin yunƙurin shiga da ya gaza a cikin rarrabawar CentOS, RHEL da Fedora. Anan, abin da aka fi mayar da hankali shine a tilasta tsaro mai sauƙi ta hanyar kulle asusun mai amfani bayan adadin tabbataccen rashin nasara a jere.

Ana iya samun wannan ta amfani da tsarin pam_faillock wanda ke taimakawa ga kulle asusun mai amfani na wucin gadi idan an sami gazawar yunƙurin tabbatarwa da yawa da kuma adana rikodin wannan taron. Ana adana yunƙurin shiga da bai yi nasara ba a cikin fayilolin kowane mai amfani a cikin kundin adireshi wanda shine /var/run/faillock/ ta tsohuwa.

pam_faillock wani bangare ne na Linux PAM (Pluggable Authentication Modules), tsari mai kuzari don aiwatar da ayyukan tantancewa a cikin aikace-aikace da sabis na tsarin daban-daban waɗanda muka ɗan yi bayani a ƙarƙashin daidaitawa PAM don bincika ayyukan harsashi mai amfani.

Yadda Ake Makulle Accounts Bayan Gaggawar Gaggawa A Jere

Kuna iya daidaita ayyukan da ke sama a cikin /etc/pam.d/system-auth da /etc/pam.d/password-auth files, ta ƙara abubuwan da ke ƙasa zuwa sashin auth.

auth    required       pam_faillock.so preauth silent audit deny=3 unlock_time=600
auth    [default=die]  pam_faillock.so authfail audit deny=3 unlock_time=600

Inda:

  • audit - yana ba da damar tantance mai amfani.
  • ƙaryata - ana amfani da shi don ayyana adadin ƙoƙarin (3 a wannan yanayin), bayan haka yakamata a kulle asusun mai amfani.
  • lokacin buɗewa - yana saita lokacin (300 seconds = 5 minutes) wanda asusun ya kamata ya kasance a kulle.

Lura cewa tsari na waɗannan layukan yana da matukar mahimmanci, daidaitawa mara kyau na iya haifar da kulle duk asusun mai amfani.

Sashen auth a cikin fayilolin biyu yakamata a tsara abubuwan da ke ƙasa cikin wannan tsari:

auth        required      pam_env.so
auth        required      pam_faillock.so preauth silent audit deny=3 unlock_time=300
auth        sufficient    pam_unix.so  nullok  try_first_pass
auth        [default=die]  pam_faillock.so  authfail  audit  deny=3  unlock_time=300
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

Yanzu buɗe waɗannan fayiloli guda biyu tare da zaɓin editan ku.

# vi /etc/pam.d/system-auth
# vi /etc/pam.d/password-auth 

Tsoffin shigarwar a cikin auth sashe biyu fayiloli suna kama da wannan.

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet
auth        required      pam_deny.so

Bayan ƙara saitunan da ke sama, ya kamata ya bayyana kamar haka.

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faillock.so preauth silent audit deny=3 unlock_time=300
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        [default=die]  pam_faillock.so  authfail  audit  deny=3  unlock_time=300
auth        requisite     pam_succeed_if.so uid >= 1000 quiet
auth        required      pam_deny.so

Sannan ƙara mahimmin shigarwar mai zuwa zuwa sashin asusun a cikin fayilolin da ke sama.

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so
account     required      pam_faillock.so

Yadda Ake Kulle Tushen Account Bayan Ƙoƙarin Shiga Ba Ya Fasa

Don kulle tushen asusun bayan gazawar yunƙurin tabbatarwa, ƙara zaɓin even_deny_root zuwa layukan da ke cikin fayiloli guda biyu a cikin sashin auth kamar wannan.

auth        required      pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=300
auth        [default=die]  pam_faillock.so  authfail  audit  deny=3 even_deny_root unlock_time=300

Da zarar kun saita komai. Kuna iya sake kunna sabis na samun nesa kamar sshd, don manufar da ke sama ta yi tasiri wato idan masu amfani za su yi amfani da ssh don haɗawa zuwa uwar garken.

# systemctl restart sshd  [On SystemD]
# service sshd restart    [On SysVInit]

Yadda ake Gwada Ƙoƙarin Shigar Mai Amfani SSH

Daga saitunan da ke sama, mun saita tsarin don kulle asusun mai amfani bayan ƙoƙarin tabbatarwa guda 3.

A cikin wannan yanayin, mai amfani tecmint yana ƙoƙarin canzawa zuwa mai amfani aaronkilik, amma bayan shigar da kuskure 3 saboda kuskuren kalmar sirri, wanda aka nuna ta saƙon An hana izini, an kulle asusun aronkilik mai amfani kamar yadda aka nuna ta saƙon gazawar tantancewa daga ƙoƙari na huɗu.

Ana kuma sanar da mai amfani game da gazawar ƙoƙarin shiga tsarin, kamar yadda aka nuna a hoton allo na ƙasa.

Yadda Ake Duba Ƙoƙarin Ƙoƙarin Ƙoƙarin Gaske

Kuna iya ganin duk rajistan ayyukan tantancewa da suka gaza ta amfani da utility lock, wanda ake amfani dashi don nunawa da kuma gyara log ɗin gazawar tantancewa.

Kuna iya duba gazawar yunƙurin shiga don wani mai amfani kamar wannan.

# faillock --user aaronkilik

Don duba duk ƙoƙarin shiga da bai yi nasara ba, gudanar da faillock ba tare da wata gardama kamar haka:

# faillock 

Don share rajistan ayyukan gazawar mai amfani, gudanar da wannan umarni.

# faillock --user aaronkilik --reset 
OR
# fail --reset	#clears all authentication failure records

A ƙarshe, don gaya wa tsarin kada ya kulle asusun mai amfani ko mai amfani bayan yunƙurin shiga da yawa da bai yi nasara ba, ƙara shigarwar da aka yiwa alama da launin ja, kusa da inda aka fara kiran pam_faillock ƙarƙashin sashin auth a cikin fayilolin biyu (/etc/pam.d/) system-auth da /etc/pam.d/password-auth) kamar haka.

Kawai ƙara cikakkun sunayen masu amfani da ke raba ga mai amfani a ciki.

auth  required      pam_env.so
auth   [success=1 default=ignore] pam_succeed_if.so user in tecmint:aaronkilik 
auth   required      pam_faillock.so preauth silent audit deny=3 unlock_time=600
auth   sufficient    pam_unix.so  nullok  try_first_pass
auth   [default=die]  pam_faillock.so  authfail  audit  deny=3  unlock_time=600
auth   requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth   required      pam_deny.so

Don ƙarin bayani, duba pam_faillock da shafukan mutum na gazawa.

# man pam_faillock
# man faillock 

Hakanan kuna iya son karanta waɗannan labarai masu amfani masu zuwa:

  1. TMOUT – Auto Logout Linux Shell Lokacin da Babu Ayyuka
  2. Yanayin Mai Amfani Guda: Sake saitin/Murmurewa Tushen Kalmar wucewar Asusun Mai amfani da aka manta
  3. 5 Mafi kyawun Ayyuka don Aminta da Kare Sabar SSH
  4. Yadda ake samun Tushen da Mai amfani SSH Faɗakarwar Imel ta Shiga

Shi ke nan! A cikin wannan labarin, mun nuna yadda ake tilasta tsaro mai sauƙi ta hanyar kulle asusun mai amfani bayan x adadin shigar da ba daidai ba ko yunƙurin tabbatar da gazawar. Yi amfani da fam ɗin sharhin da ke ƙasa don raba tambayoyinku ko tunaninku tare da mu.