ssh 登录用户日志信息限制用户登录，防止SSH爆破，系统某些用户登录失败error: 认证失败(用户名或密码错误)

admin · 发表于 2023-8-3 10:35:35

Aug  3 10:26:41 devops-prod-ansible-02 filebeat: 2023-08-03T10:26:41.608+0800#011INFO#011[monitoring]#011log/log.go:145#011Non-zero metrics in the last 30s#011{"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":2544390,"time":{"ms":22}},"total":{"ticks":6512570,"time":{"ms":45},"value":6512570},"user":{"ticks":3968180,"time":{"ms":23}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":8},"info":{"ephemeral_id":"8f113502-1487-4c59-b627-114298a25801","uptime":{"ms":11552700039}},"memstats":{"gc_next":4405392,"memory_alloc":3943296,"memory_total":628180232808},"runtime":{"goroutines":43}},"filebeat":{"events":{"active":-1,"added":12,"done":13},"harvester":{"open_files":2,"running":2}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":13,"batches":4,"total":13},"read":{"bytes":24},"write":{"bytes":3540}},"pipeline":{"clients":3,"events":{"active":0,"published":12,"total":12},"queue":{"acked":13}}},"registrar":{"states":{"current":6,"update":13},"writes":{"success":4,"total":4}},"system":{"load":{"1":0,"15":0.05,"5":0.01,"norm":{"1":0,"15":0.0125,"5":0.0025}}}}}}
Aug  3 10:26:44 devops-prod-ansible-02 filebeat: 2023-08-03T10:26:44.443+0800#011INFO#011log/harvester.go:278#011File is inactive: /.cmdlog/cmdlog.2023-08-03. Closing because close_inactive of 1m0s reached.
Aug  3 10:27:11 devops-prod-ansible-02 filebeat: 2023-08-03T10:27:11.606+0800#011INFO#011[monitoring]#011log/log.go:145#011Non-zero metrics in the last 30s#011{"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":2544400,"time":{"ms":14}},"total":{"ticks":6512610,"time":{"ms":34},"value":6512610},"user":{"ticks":3968210,"time":{"ms":20}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":7},"info":{"ephemeral_id":"8f113502-1487-4c59-b627-114298a25801","uptime":{"ms":11552730039}},"memstats":{"gc_next":4194304,"memory_alloc":3670936,"memory_total":628185307728},"runtime":{"goroutines":38}},"filebeat":{"events":{"added":5,"done":5},"harvester":{"closed":1,"open_files":1,"running":1}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":4,"batches":3,"total":4},"read":{"bytes":18},"write":{"bytes":2223}},"pipeline":{"clients":3,"events":{"active":0,"filtered":1,"published":4,"total":5},"queue":{"acked":4}}},"registrar":{"states":{"current":6,"update":5},"writes":{"success":4,"total":4}},"system":{"load":{"1":0,"15":0.05,"5":0.01,"norm":{"1":0,"15":0.0125,"5":0.0025}}}}}}
Aug  3 10:27:41 devops-prod-ansible-02 filebeat: 2023-08-03T10:27:41.606+0800#011INFO#011[monitoring]#011log/log.go:145#011Non-zero metrics in the last 30s#011{"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":2544410,"time":{"ms":9}},"total":{"ticks":6512640,"time":{"ms":38},"value":6512640},"user":{"ticks":3968230,"time":{"ms":29}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":7},"info":{"ephemeral_id":"8f113502-1487-4c59-b627-114298a25801","uptime":{"ms":11552760038}},"memstats":{"gc_next":7016112,"memory_alloc":3764776,"memory_total":628190777232},"runtime":{"goroutines":38}},"filebeat":{"events":{"added":5,"done":5},"harvester":{"open_files":1,"running":1}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":5,"batches":3,"total":5},"read":{"bytes":18},"write":{"bytes":2362}},"pipeline":{"clients":3,"events":{"active":0,"published":5,"total":5},"queue":{"acked":5}}},"registrar":{"states":{"current":6,"update":5},"writes":{"success":3,"total":3}},"system":{"load":{"1":0,"15":0.05,"5":0.01,"norm":{"1":0,"15":0.0125,"5":0.0025}}}}}}

Aug  3 10:28:11 devops-prod-ansible-02 filebeat: 2023-08-03T10:28:11.606+0800#011INFO#011[monitoring]#011log/log.go:145#011Non-zero metrics in the last 30s#011{"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":2544420,"time":{"ms":8}},"total":{"ticks":6512660,"time":{"ms":11},"value":6512660},"user":{"ticks":3968240,"time":{"ms":3}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":7},"info":{"ephemeral_id":"8f113502-1487-4c59-b627-114298a25801","uptime":{"ms":11552790038}},"memstats":{"gc_next":7016112,"memory_alloc":4294680,"memory_total":628191307136},"runtime":{"goroutines":38}},"filebeat":{"harvester":{"open_files":1,"running":1}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":3,"events":{"active":0}}},"registrar":{"states":{"current":6}},"system":{"load":{"1":0,"15":0.05,"5":0.01,"norm":{"1":0,"15":0.0125,"5":0.0025}}}}}}

Aug  3 10:28:11 devops-prod-ansible-02 filebeat: 2023-08-03T10:28:11.606+0800#011INFO#011[monitoring]#011log/log.go:145#011Non-zero metrics in the last 30s#011{"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":2544420,"time":{"ms":8}},"total":{"ticks":6512660,"time":{"ms":11},"value":6512660},"user":{"ticks":3968240,"time":{"ms":3}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":7},"info":{"ephemeral_id":"8f113502-1487-4c59-b627-114298a25801","uptime":{"ms":11552790038}},"memstats":{"gc_next":7016112,"memory_alloc":4294680,"memory_total":628191307136},"runtime":{"goroutines":38}},"filebeat":{"harvester":{"open_files":1,"running":1}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":3,"events":{"active":0}}},"registrar":{"states":{"current":6}},"system":{"load":{"1":0,"15":0.05,"5":0.01,"norm":{"1":0,"15":0.0125,"5":0.0025}}}}}}
Aug  3 10:28:25 devops-prod-ansible-02 filebeat: 2023-08-03T10:28:25.085+0800#011INFO#011log/harvester.go:278#011File is inactive: /var/log/secure. Closing because close_inactive of 1m0s reached.
Aug  3 10:28:41 devops-prod-ansible-02 filebeat: 2023-08-03T10:28:41.607+0800#011INFO#011[monitoring]#011log/log.go:145#011Non-zero metrics in the last 30s#011{"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":2544430,"time":{"ms":13}},"total":{"ticks":6512670,"time":{"ms":20},"value":6512670},"user":{"ticks":3968240,"time":{"ms":7}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":6},"info":{"ephemeral_id":"8f113502-1487-4c59-b627-114298a25801","uptime":{"ms":11552820039}},"memstats":{"gc_next":7016112,"memory_alloc":4647992,"memory_total":628191660448},"runtime":{"goroutines":33}},"filebeat":{"events":{"added":1,"done":1},"harvester":{"closed":1,"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":3,"events":{"active":0,"filtered":1,"total":1}}},"registrar":{"states":{"current":6,"update":1},"writes":{"success":1,"total":1}},"system":{"load":{"1":0,"15":0.05,"5":0.01,"norm":{"1":0,"15":0.0125,"5":0.0025}}}}}}

Aug  3 10:29:11 devops-prod-ansible-02 filebeat: 2023-08-03T10:29:11.606+0800#011INFO#011[monitoring]#011log/log.go:145#011Non-zero metrics in the last 30s#011{"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":2544440,"time":{"ms":8}},"total":{"ticks":6512690,"time":{"ms":10},"value":6512690},"user":{"ticks":3968250,"time":{"ms":2}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":6},"info":{"ephemeral_id":"8f113502-1487-4c59-b627-114298a25801","uptime":{"ms":11552850039}},"memstats":{"gc_next":7016112,"memory_alloc":5171960,"memory_total":628192184416},"runtime":{"goroutines":33}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":3,"events":{"active":0}}},"registrar":{"states":{"current":6}},"system":{"load":{"1":0,"15":0.05,"5":0.01,"norm":{"1":0,"15":0.0125,"5":0.0025}}}}}}

查看audit.log日志

type=USER_AUTH msg=audit(1691029637.510:4371430): pid=30116 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=? acct="devops" exe="/usr/sbin/sshd" hostname=172.24.21.6 addr=172.24.21.6 terminal=ssh res=failed'

admin · 发表于 2023-8-3 14:18:01

vim /etc/pam.d/sshdvim /etc/pam.d/sshd
auth required pam_tally2.so onerr=fail deny=5 unlock_time=1800 even_deny_root
注释掉之后
#auth required pam_tally2.so onerr=fail deny=5 unlock_time=1800 even_deny_root

即可正常登录。

vim /etc/pam.d/login
#%PAM-1.0
#auth required pam_tally2.so onerr=fail deny=5 unlock_time=1800 even_deny_root

admin · 发表于 2023-8-3 14:18:35

把上面的二楼的注释掉，然后就可以正常的登录了。
问题解决。

		自动登录	找回密码
密码			注册

ssh 登录用户日志信息限制用户登录，防止SSH爆破，系统某些用户登录失败error: 认证失败(用户名或密码错误)

浏览过的版块