[보안] 사용자 계정 보안

로그인 횟수 제한

# vi /etc/pam.d/system-auth
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so
auth        required      pam_tally.so no_magic_root

account     required      /lib/security/$ISA/pam_unix.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     required      /lib/security/$ISA/pam_permit.so
account     required      pam_tally.so deny=3 no_magic_root reset

faillog -u 사용자ID -r

faillog

PAM Settings

I found that under RHEL / CentOS Linux 5.x, you need to modify /etc/pam.d/system-auth file. You need to configure PAM module pam_tally.so. Otherwise faillog command will never display failed login attempts.
PAM Configuration to recored failed login attempts

pam_tally.so module maintains a count of attempted accesses, can reset count on success, can deny access if too many attempts fail.
Open /etc/pam.d/system-auth file:

# vi /etc/pam.d/system-auth
Append following two pam_tally.so modules:
auth required pam_tally.so no_magic_root
account required pam_tally.so deny=3 no_magic_root lock_time=180
Where,

    * deny=3 : Deny access if tally for this user exceeds 3 times.
    * lock_time=180 : Always deny for 180 seconds after failed attempt. There is also unlock_time=n option. It allow access after n seconds after failed attempt. If this option is used the user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts. Otherwise the account is locked until the lock is removed by a manual intervention of the system administrator.
    * magic_root : If the module is invoked by a user with uid=0 the counter is not incremented. The sys-admin should use this for user launched services, like su, otherwise this argument should be omitted.
    * no_magic_root : Avoid root account locking, if the module is invoked by a user with uid=0

Save and close the file.
How do I display all failed login attempts for user vivek?

You need to use faillog command to display faillog records:
# faillog -u vivek

Login       Failures Maximum Latest                   On
vivek           3        0   12/19/07 14:12:53 -0600  64.11.xx.yy

Display faillog records for all users.

Use the -a option:
# faillog -a
How do I reset the counters of login failures?

The -r option can reset the counters of login failures or one record if used with the -u USERNAME option:
# faillog -r
# faillog -r -u vivek <– only reset counter for vivek user
On large Linux login server, such as University or government research facility, one might find it useful to clear all counts every midnight or week from a cron job.
# crontab -e
Reset failed login recover every week:
@weekly /usr/bin/faillog -r
Save and close the file.