This step by step guide will walk you through the steps to configure lock user accounts if predefined numbers of failed login attempts detected on linux servers. This article applies on CentOS, Red Hat Enterprise Linux and Fedora distributions.
This can be accomplished by using the pam_faillock module which helps temporarily locking user accounts if predefined numbers of consecutive failed login attempts detected and stores a record of such event. Failed login attempts are stored into per-user files in the /var/run/faillock/ directory by default.
Lock User Accounts if Multiple Failed Login Detected
These user account lock policies can be set up in the /etc/pam.d/system-auth and /etc/pam.d/password-auth files, by adding the following entries into the auth section.auth required pam_faillock.so preauth silent audit deny=5 unlock_time=600
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=600
Explanation:
audit – enables user auditing.
deny – used to define the number of attempts (5 in this case), after which the user
account should be locked.
unlock_time – sets the time (600 seconds = 10 minutes) for which the account
should remain locked.
Note: The order of these lines is highly important, bad configuration can cause all user accounts to be locked out.
The auth section in both files should have the following contents arranged in this order:
auth required pam_env.so
auth required pam_faillock.so preauth silent audit deny=5 unlock_time=600
auth sufficient pam_unix.so nullok try_first_pass
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=600
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
Now you need to edit these two files.
# vi /etc/pam.d/system-auth
# vi /etc/pam.d/password-auth
The default entries in auth section in both files will look similar to like below.
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet
auth required pam_deny.so
After adding the above settings, it should appear as follows.
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faillock.so preauth silent audit deny=5 unlock_time=600
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=600
auth requisite pam_succeed_if.so uid >= 1000 quiet
auth required pam_deny.so
Then add the following highlighted entry into the account section in both of the above files.
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
account required pam_faillock.soLock Root Account if Failed Login Attempts Detected
If you want to lock the root account after multiple failed login attempts, then add the even_deny_root option to the lines in both files in the auth section as shown below.auth required pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=600
auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=600
When you are done with all of above steps, restart remote accessibility services like SSH to take effect the changes you have made.
# systemctl restart sshd [On SystemD]
# service sshd restart [On SysVInit]
Test User Failed Login Attempts
To test failed login settings, access your linux machines via ssh providing 5 times wrong password as we have configured the system to lock a user account after 5 failed login attempts. If you have defined all settings correctly, user will be locked out after 5 consecutive failed attempts.Monitor Failed Authentication Attempts
You can monitor all failed authentication logs using the faillock command, which is used to display and modify the authentication failure log.Execute the following command from root to view particular user's failed login attempts.
# faillock --user username
To view all unsuccessful login attempts at once, type faillock command without any argument.
# faillock
To clear a particular user’s authentication failure logs, type the following command.
# faillock --user username --reset
To clear all failure logs at once, type the following command.
# fail --reset
If you want, not to lock a particular user or users account after multiple failed login attempts, add the following highlighted entry just above where pam_faillock is first called under the auth section in both files (/etc/pam.d/system-auth and /etc/pam.d/password-auth) like below.
Add full colon separated usernames to the option user in.
auth required pam_env.so
auth [success=1 default=ignore] pam_succeed_if.so user in jhon:peter
auth required pam_faillock.so preauth silent audit deny=5 unlock_time=600
auth sufficient pam_unix.so nullok try_first_pass
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=600
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
You are done.