Comments on: How to Lock and Unlock User After Failed SSH Logins

By: Ravi Saive

Ravi Saive — Wed, 09 Apr 2025 04:27:15 +0000

In reply to atomick.

@Atomick,

Great tip – thanks for sharing!

pam_tally and pam_tally2 are definitely handy tools for handling SSH lockouts, especially on systems using older PAM modules. Creating a small script with $1 as a placeholder for the username is a smart way to save time.

And yes, as you said, the effectiveness can depend on the system’s PAM setup — always good to double-check the config.

Appreciate your input!

By: atomick

atomick — Wed, 09 Apr 2025 03:04:26 +0000

You could also check out pam_tally and pam_tally2, which can help reset SSH block and lock counters.

For example, use:

sudo pam_tally --reset --user $1
sudo pam_tally2 --reset --user $1

You can even create a short Bash script using a wildcard like $1 to pass the locked username as a parameter.

Example:

sudo pam_tally --reset --user JohnDoe

This is another useful way to handle account lockouts. All related options might depend on the PAM configuration on your system.

By: Amar Nayak

Amar Nayak — Thu, 01 Jun 2023 04:29:21 +0000

Thanks for the very helpful article…

I see lots of SSH failed login attempts on my Linux server logs daily, I hope with this solution I can completely block such login attempts and secure my SSH box from unwanted authentications…

By: bread of wakanda

bread of wakanda — Wed, 11 Sep 2019 05:21:02 +0000

what if i have a user who keeps entering the wrong password and keeps getting locked and every single day i have to unlock him .. is there any way by which i can keep that specific user out of pam policy so that he never gets locked but others can get locked?

By: Akio Crimson

Akio Crimson — Wed, 06 Mar 2019 20:52:22 +0000

Thanks for this info. I had to come up with something because when I logged in today, it said there were 43,945 failed login attempts to root. So clearly someone set up a server in china to try to brute force their way in. I set the unlock_time in mine to 24 hours after 2 failed attempts.