Use Pam_Tally2 to Lock and Unlock SSH Failed Login Attempts

If you have any questions or problems regarding this article and want help within 24 Hours? Ask Now

Support TecMint: Did you find this tutorial helpful?. Please help to keep it alive by donating. Every cent counts! - Donate Now

Narad Shrestha

He has over 10 years of rich IT experience which includes various Linux Distros, FOSS and Networking. Narad always believes sharing IT knowledge with others and adopts new technology with ease.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

Receive Your Free Complimentary eBook NOW! -

Download Free Linux eBooks

Advanced Bash-Scripting Guide
Linux Bible
A Newbie's Getting Started Guide to Linux
Introduction to Linux - A Hands on Guide

You may also like...

13 Responses

  1. Fauzi says:

    Thanks, it works for me

  2. Danilo says:

    Thanks, it works in 6.5.

  3. Kyle says:

    I appreciate the information! It really helped with configuring the account lock. I’m curious on how you were able to configure the lockout message, however.

    Account locked due to 4 failed logins

    Unlike the above, I’m getting the standard “Access Denied” error.

  4. nilesh khetre says:

    very nice…

    It helps my team a lot….

  5. Rakesh says:

    on our setup on RHEL6.4, though the account gets locked, however the message is not informative. It is just showing the error message “access denied”

    • Kyle says:

      I have the same problem. It will lock the account successfully, however it will not provide information on this to the user. Were you able to figure out how to set the access denied error to something more like:

      Account locked due to 4 failed logins

  6. harry virk says:

    thanks :) it worked ..

  7. Jura says:

    On RHEL 6.4 it is counting failes, but never locks.

    • Ravi Saive says:

      I haven’t tried out in 6.4, will try and update you.

    • dieter says:

      On my setup it works on RHEL 6.4. The count of failed log attemps is done OK, it resets itselfs if the user success before account lockdown, and the account locks itself if fail count reaches max deny count.

      The only thing I can’t manage to do from now, is to have the reason of login deny printed (like it is shown in the article)

      • Jura says:

        Can you post your setup? I have basically copy pasted what is written in the article and everything works as described accept locking the account.

  8. JFM says:

    Can you say “denial of service”. I am sure you can. Can you say automated denial of service meaning that the unlock provison is completely useless I am sure you can too.

    If you are worried about brute force password cracking the way to go is

    1) Long, hard to guess password

    2) Setting alerts about failed logins and ensuring they are not lost in “noise”

    3) Port knocking

Leave a Reply

Your email address will not be published. Required fields are marked *

Join Over 95000+ Linux Users
  1. 57,739
  2. 3,201
  3. 25,639

Enter your email to get latest Linux Howto's