pam_tally2 command is used to lock and unlock ssh failed logins in a Linux-like operating system. To implement a security feature like a user’s account must be locked after a number of failed login attempts. We can achieve this security via pam module called pam_tally2. This module can display user’s login attempts, set counts on an individual basis, unlock all user counts.
pam_tally2 comes in two parts: pam_tally2.so and pam_tally2. The former is the PAM module and the latter, a stand-alone program. pam_tally2 is an application which can be used to interrogate and manipulate the counter file.
In this article, we will discuss how to lock and unlock a user’s account after reaching a fixed number of failed ssh attempts in RHEL/CentOS 6.X. By default pam_tally2 module is already installed in Linux. To set the lock and unlock rules, edit the two files: /etc/pam.d/system-auth and /etc/pam.d/password-auth and add the below line at the starting of auth section in both the files.
auth required pam_tally2.so file=/var/log/tallylog deny=3 even_deny_root unlock_time=120
And then add the below line in the account Section in both the files:
account required pam_tally2.so
Sample File of /etc/pam.d/system-auth:
Sample File of /etc/pam.d/password-auth
file=/var/log/tallylog – Default log file whic keep login counts.
deny=3 – Deny access after 3 attempts and lock down user.
even_deny_root – Policy is also apply to root user.
unlock_time=1200 – Account will be locked till 20 Min after that it will be unlocked.
Now Try to Login into the Linux box with an incorrect password, you should get the error “Permission denied, please try again” error.
Now check user’s login attempts using pam_tally2 Command:
# pam_tally2 -u geek Login Failures Latest failure From geek 3 06/14/14 02:01:25 192.168.1.8
Now reset or unlock user’s account’s using pam_tally2 command:
# pam_tally2 --user geek --reset Login Failures Latest failure From geek 4 06/14/14 02:20:42 192.168.1.8
Now Verify the login Attempt is reset or not:
# pam_tally2 --user geek Login Failures Latest failure From geek 0