• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

The Geek Diary

CONCEPTS | BASICS | HOWTO

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • Linux Services
    • VCS
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
    • Data Guard
  • DevOps
    • Docker
    • Shell Scripting
  • Interview Questions
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

CentOS / RHEL 7 : Lock User Account After N Number of Incorrect Login Attempts

By admin

Often a requirement in a secure environment is to lockdown users after they enter a wrong password for a specified number of times. This makes the system protect again The post describes how to lock an account after N incorrect login attempts using pam.d files. The pam_faillock module supports temporary locking of user accounts in the event of multiple failed authentication attempts. This new module improves functionality over the existing pam_tally2 module, as it also allows temporary locking when the authentication attempts are done over a screensaver.

Lock user after N incorrect logins

1. First, take a backup of the file /etc/pam.d/password-auth and /etc/pam.d/system-auth. Then add the lines highlighted in red to the both the files.

auth        required      pam_env.so
auth        required      pam_faillock.so preauth silent audit deny=3 unlock_time=600
auth        sufficient    pam_unix.so nullok try_first_pass
auth        [default=die] pam_faillock.so authfail audit deny=3
auth        sufficient     pam_faillock.so authsucc audit deny=3
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_faillock.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so 
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
The above configuration file would lock out users after 3 unsuccessful login attempts and unlock them after 10 minutes.

Here,
deny - allows us to set the value N (no. of attempts) after which the user account should be locked.
unlock_time - is the time for which the account should stay locked [Optional]
even_deny_root – makes sure that the same rule applies to root user as well. To exclude root user from this policy, simply remove the parameter from the line [Optional].

Note : Sequence of the lines in the files are important and any change in sequence would end up locking all users including root user when you are using even_deny_root option.

2. To lock out root user, auth required pam_faillock.so line should be added in both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows :

auth    required    pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=1200 root_unlock_time=600

3. To disable a user from locking out even after multiple failed logins add the below line just above the pam_faillock in both /etc/pam.d/system-auth and /etc/pam.d/password-auth and replace user1, user2 with the actual usernames.

auth [success=1 default=ignore] pam_succeed_if.so user in user1:user2:user3

4. Restart the sshd service.

# systemctl restart sshd

Reset the locked user password

1. For displaying authentication failure records:

# faillock --user [username]

2. For resetting authentication failure records:

# faillock --user [username] --reset

Filed Under: CentOS/RHEL 7, Linux

Some more articles you might also be interested in …

  1. LVM VG Metadata Corruption with ‘Checksum error’
  2. How to Resize / Expand a Btrfs Volume / Filesystem
  3. Linux OS Service ‘irqbalance’
  4. How to delete a partition using fdisk
  5. Beginners Guide to Managing Package Module Streams in CentOS/RHEL 8
  6. How to enable bind query logging to find out Who’s Querying a Name Server
  7. How To Limit/Restrict FTP Commands On Vsftpd Services (CentOS/RHEL 6,7)
  8. CentOS / RHEL 6 : How to Change the Volume Group Name for Root Disk Device
  9. How to check failed or bad login attempts in Linux
  10. CentOS / RHEL : How to configure alias (virtual interface) of bond interface (bondx:y)

You May Also Like

Primary Sidebar

Recent Posts

  • Basics of client connectivity in Oracle Data Guard configuration
  • ORA-354 ORA-353 and ORA-312: Possible corruption in Online Redo Log File Members in a Redo Log Group
  • How to relocate the redo log files to a different location on disk
  • Oracle Database: Redo log operations (Add/Drop/Change Location)
  • Archives
  • Contact Us
  • Copyright

© 2021 · The Geek Diary