Often a requirement in a secure environment is to lockdown users after they enter a wrong password for a specified number of times. This makes the system protect again The post describes how to lock an account after N incorrect login attempts using pam.d files. The pam_faillock module supports temporary locking of user accounts in the event of multiple failed authentication attempts. This new module improves functionality over the existing pam_tally2 module, as it also allows temporary locking when the authentication attempts are done over a screensaver.
Lock user after N incorrect logins
1. First, take a backup of the file /etc/pam.d/password-auth and /etc/pam.d/system-auth. Then add the lines highlighted in red to the both the files.
auth required pam_env.so
auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600
auth sufficient pam_unix.so nullok try_first_pass
auth [default=die] pam_faillock.so authfail audit deny=3
auth sufficient pam_faillock.so authsucc audit deny=3
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_faillock.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
The above configuration file would lock out users after 3 unsuccessful login attempts and unlock them after 10 minutes.
Here,
deny - allows us to set the value N (no. of attempts) after which the user account should be locked.
unlock_time - is the time for which the account should stay locked [Optional]
even_deny_root – makes sure that the same rule applies to root user as well. To exclude root user from this policy, simply remove the parameter from the line [Optional].
2. To lock out root user, auth required pam_faillock.so line should be added in both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows :
auth required pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=1200 root_unlock_time=600
3. To disable a user from locking out even after multiple failed logins add the below line just above the pam_faillock in both /etc/pam.d/system-auth and /etc/pam.d/password-auth and replace user1, user2 with the actual usernames.
auth [success=1 default=ignore] pam_succeed_if.so user in user1:user2:user3
4. Restart the sshd service.
# systemctl restart sshd
Reset the locked user password
1. For displaying authentication failure records:
# faillock --user [username]
2. For resetting authentication failure records:
# faillock --user [username] --reset