How to Lock User Accounts After Failed Login Attempts

If You Appreciate What We Do Here On TecMint, You Should Consider:

  1. Stay Connected to: Twitter | Facebook | Google Plus
  2. Subscribe to our email updates: Sign Up Now
  3. Get your own self-hosted blog with a Free Domain at ($3.45/month).
  4. Become a Supporter - Make a contribution via PayPal
  5. Support us by purchasing our premium books in PDF format.
  6. Support us by taking our online Linux courses

We are thankful for your never ending support.

Aaron Kili

Aaron Kili is a Linux and F.O.S.S enthusiast, an upcoming Linux SysAdmin, web developer, and currently a content creator for TecMint who loves working with computers and strongly believes in sharing knowledge.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

11 Responses

  1. Akio Crimson says:

    Thanks for this info. I had to come up with something because when I logged in today, it said there were 43,945 failed login attempts to root. So clearly someone set up a server in china to try to brute force their way in. I set the unlock_time in mine to 24 hours after 2 failed attempts.

  2. shuja says:

    @josh and ravi can you please tell how to make this lock option permanent so that reboot should not clear the lock also please let me know how can i apply this policy on 100 servers easily.

  3. Josh says:

    The following will lock a user account forever. You can read the manual. I checked this and it on an account and the account is still locked. A reboot clears the lock.

    unlock_time=never
    
  4. shuja says:

    @ravi

    My objective is user account should be locked for infinite duration after 3 unsuccessful attempts. How to meet this objective

    Thanks in advance

    • Ravi Saive says:

      @Shuja,

      Then add the following configuration to lock a user for infinite time (specify higher time for the unlock_time=300).

      #%PAM-1.0
      # This file is auto-generated.
      # User changes will be destroyed the next time authconfig is run.
      auth        required      pam_env.so
      auth        required      pam_faillock.so preauth silent audit deny=3 unlock_time=300
      auth        sufficient    pam_fprintd.so
      auth        sufficient    pam_unix.so nullok try_first_pass
      auth        [default=die]  pam_faillock.so  authfail  audit  deny=3  unlock_time=300
      auth        requisite     pam_succeed_if.so uid >= 1000 quiet
      auth        required      pam_deny.so
      
  5. shuja says:

    will this configurable in RHEL 7?

    • Ravi Saive says:

      @Shuja,

      Yes, you can lock user accounts in RHEL distribution also using these instructions..

      • shuja says:

        Thanks, Ravi I did it it’s working, but wen I run the passwd -S the output doesn’t say user account is locked but I can see failock entry for the user, secondly I want to lock the user for infinite time and unlock it manually.

        How can i do that?

        • Ravi Saive says:

          @Shuja,

          To lock an account in Linux permanently, use the following command.

          # passwd -l ravi
          

          To unlock an account manually, use the following command.

          # passwd -u ravi
          
  6. Josh Roden says:

    Hi,

    In the file it says:

    "This file is auto-generated.
    User changes will be destroyed the next time authconfig is run."
    

    Is there a way to make these changes persistent?

Leave a Reply to Josh Roden Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.