Did You Know?
Donate to TecMint

LFCS - Linux Foundation Certified SysAdmin - Exam Preparation Guide

Use Pam_Tally2 to Lock and Unlock SSH Failed Login Attempts

Download Your Free eBooks NOW - 10 Free Linux eBooks for Administrators

pam_tally2 module is used to lock user accounts after certain number of failed ssh login attempts made to the system. This module keeps the count of attempted accesses and too many failed attempts.

pam_tally2 module comes in two parts, one is pam_tally2.so and another is pam_tally2. It is based on PAM module and can be used to examine and manipulate the counter file. It can display user login attempts counts, set counts on individual basis, unlock all user counts.

Lock SSH Logins

Pam_tally2 to Lock SSH Logins

By default, pam_tally2 module is already installed on the most of the Linux distributions and it is controlled by PAM package itself. This article demonstrates on how to lock and unlock SSH accounts after reaching a certain failed number of login attempts.

How to Lock and Unlock User Accounts

Use ‘/etc/pam.d/password-auth‘ configuration file to configure login attempts accesses. Open this file and add the following AUTH configuration line to it at beginning of the ‘auth‘ section.

auth        required      pam_tally2.so  file=/var/log/tallylog deny=3 even_deny_root unlock_time=1200

Next, add the following line to ‘account‘ section.

account     required      pam_tally2.so
  1. file=/var/log/tallylog – Default log file is used to keep login counts.
  2. deny=3 – Deny access after 3 attempts and lock down user.
  3. even_deny_root – Policy is also apply to root user.
  4. unlock_time=1200 – Account will be locked till 20 Min. (remove this parameters if you want to lock down permanently till manually unlock.)

Once you’ve done with above configuration, now try to attempt 3 failed login attempts to server using any ‘username‘. After you made more than 3 attempts you will get the following message.

[root@tecmint ~]# ssh tecmint@
tecmint@'s password:
Permission denied, please try again.
tecmint@'s password:
Permission denied, please try again.
tecmint@'s password:
Account locked due to 4 failed logins
Account locked due to 5 failed logins
Last login: Mon Apr 22 21:21:06 2013 from

Now, verify or check the counter that user attempts with the following command.

[root@tecmint ~]# pam_tally2 --user=tecmint
Login           Failures  Latest    failure     From
tecmint              5    04/22/13  21:22:37

How to reset or unlock the user account to enable access again.

[root@tecmint pam.d]# pam_tally2 --user=tecmint --reset
Login           Failures  Latest    failure     From
tecmint             5     04/22/13  17:10:42

Verify login attempt is reset or unlocked

[root@tecmint pam.d]# pam_tally2 --user=tecmint
Login           Failures   Latest   failure     From
tecmint            0

The PAM module is part of all Linux distribution and configuration provided about should work on all Linux distribution. Do ‘man pam_tally2‘ from the command line to know more about it.

Read Also:

  1. 5 Tips to Secure and Protect SSH Server
  2. Block SSH Brute Force Attacks Using DenyHosts
He has over 10 years of rich IT experience which includes various Linux Distros, FOSS and Networking. Narad always believes sharing IT knowledge with others and adopts new technology with ease.

Your name can also be listed here. Work as a Paid freelancer/writer at TecMint.
Download Free eBooks
Advanced Bash-Scripting Guide
Linux Bible
A Newbie's Getting Started Guide to Linux
Ubuntu Linux Toolbox: 1000+ Commands

12 Responses

  1. JFM says:

    Can you say “denial of service”. I am sure you can. Can you say automated denial of service meaning that the unlock provison is completely useless I am sure you can too.

    If you are worried about brute force password cracking the way to go is

    1) Long, hard to guess password

    2) Setting alerts about failed logins and ensuring they are not lost in “noise”

    3) Port knocking

  2. Jura says:

    On RHEL 6.4 it is counting failes, but never locks.

    • Ravi Saive says:

      I haven’t tried out in 6.4, will try and update you.

    • dieter says:

      On my setup it works on RHEL 6.4. The count of failed log attemps is done OK, it resets itselfs if the user success before account lockdown, and the account locks itself if fail count reaches max deny count.

      The only thing I can’t manage to do from now, is to have the reason of login deny printed (like it is shown in the article)

      • Jura says:

        Can you post your setup? I have basically copy pasted what is written in the article and everything works as described accept locking the account.

  3. harry virk says:

    thanks :) it worked ..

  4. Rakesh says:

    on our setup on RHEL6.4, though the account gets locked, however the message is not informative. It is just showing the error message “access denied”

    • Kyle says:

      I have the same problem. It will lock the account successfully, however it will not provide information on this to the user. Were you able to figure out how to set the access denied error to something more like:

      Account locked due to 4 failed logins

  5. nilesh khetre says:

    very nice…

    It helps my team a lot….

  6. Kyle says:

    I appreciate the information! It really helped with configuring the account lock. I’m curious on how you were able to configure the lockout message, however.

    Account locked due to 4 failed logins

    Unlike the above, I’m getting the standard “Access Denied” error.

  7. Danilo says:

    Thanks, it works in 6.5.

Leave a Reply

This work is licensed under a (cc) BY-NC | TecMint uses cookies. By using our services, you comply to use of our cookies. More info: Privacy Policy.
© 2012-2014 All Rights Reserved.