• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

CentOS / RHEL 7 : Lock User Account After N Number of Incorrect Login Attempts

by admin

Often a requirement in a secure environment is to lockdown users after they enter a wrong password for a specified number of times. This makes the system protect again The post describes how to lock an account after N incorrect login attempts using pam.d files. The pam_faillock module supports temporary locking of user accounts in the event of multiple failed authentication attempts. This new module improves functionality over the existing pam_tally2 module, as it also allows temporary locking when the authentication attempts are done over a screensaver.

Lock user after N incorrect logins

1. First, take a backup of the file /etc/pam.d/password-auth and /etc/pam.d/system-auth. Then add the lines highlighted in red to the both the files.

auth        required      pam_env.so
auth        required      pam_faillock.so preauth silent audit deny=3 unlock_time=600
auth        sufficient    pam_unix.so nullok try_first_pass
auth        [default=die] pam_faillock.so authfail audit deny=3
auth        sufficient     pam_faillock.so authsucc audit deny=3
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_faillock.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so 
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
The above configuration file would lock out users after 3 unsuccessful login attempts and unlock them after 10 minutes.

Here,
deny - allows us to set the value N (no. of attempts) after which the user account should be locked.
unlock_time - is the time for which the account should stay locked [Optional]
even_deny_root – makes sure that the same rule applies to root user as well. To exclude root user from this policy, simply remove the parameter from the line [Optional].

Note : Sequence of the lines in the files are important and any change in sequence would end up locking all users including root user when you are using even_deny_root option.

2. To lock out root user, auth required pam_faillock.so line should be added in both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows :

auth    required    pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=1200 root_unlock_time=600

3. To disable a user from locking out even after multiple failed logins add the below line just above the pam_faillock in both /etc/pam.d/system-auth and /etc/pam.d/password-auth and replace user1, user2 with the actual usernames.

auth [success=1 default=ignore] pam_succeed_if.so user in user1:user2:user3

4. Restart the sshd service.

# systemctl restart sshd

Reset the locked user password

1. For displaying authentication failure records:

# faillock --user [username]

2. For resetting authentication failure records:

# faillock --user [username] --reset

Filed Under: CentOS/RHEL 7, Linux

Some more articles you might also be interested in …

  1. fail2ban-client Command Examples in Linux
  2. How to install zip/unzip package in Linux CentOS/RHEL 7 and 8
  3. Understanding the /etc/fstab file in Linux
  4. CentOS / RHEL 7 : Configuring an NFS server and NFS client
  5. Interview Questions : Linux Package Manager (RPM)
  6. 18 Practical tcpdump Command Examples – A Network Sniffer Tool Primer
  7. How to mount an iso file in Linux
  8. passwd Command Examples in Linux
  9. links Command Examples in Linux
  10. lolcat Command Examples in Linux

You May Also Like

Primary Sidebar

Recent Posts

  • powertop Command Examples in Linux
  • powertop: command not found
  • powerstat: command not found
  • powerstat Command Examples in Linux

© 2023 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright