How to Lock User Accounts After Failed Login Attempts

This guide will show how to lock a system user’s account after a specifiable number of failed login attempts in CentOS, RHEL and Fedora distributions. Here, the focus is to enforce simple server security by locking a user’s account after consecutive number of unsuccessful authentications.

Read Also: Use Pam_Tally2 to Lock and Unlock SSH Failed Login Attempts

This can be achieved by using the pam_faillock module which helps to temporary lock user accounts in case of multiple failed authentication attempts and keeps a record of this event. Failed login attempts are stored into per-user files in the tally directory which is /var/run/faillock/ by default.

pam_faillock is part of Linux PAM (Pluggable Authentication Modules), a dynamic mechanism for implementing authentication services in applications and various system services which we briefly explained under configuring PAM to audit user login shell activity.

How to Lock User Accounts After Consecutive Failed Authentications

You can configure the above functionality in the /etc/pam.d/system-auth and /etc/pam.d/password-auth files, by adding the entries below to the auth section.

auth    required       pam_faillock.so preauth silent audit deny=3 unlock_time=600
auth    [default=die]  pam_faillock.so authfail audit deny=3 unlock_time=600

Where:

  • audit – enables user auditing.
  • deny – used to define the number of attempts (3 in this case), after which the user account should be locked.
  • unlock_time – sets the time (300 seconds = 5 minutes) for which the account should remain locked.

Note that the order of these lines is very important, wrong configurations can cause all user accounts to be locked.

The auth section in both files should have the content below arranged in this order:

auth        required      pam_env.so
auth        required      pam_faillock.so preauth silent audit deny=3 unlock_time=300
auth        sufficient    pam_unix.so  nullok  try_first_pass
auth        [default=die]  pam_faillock.so  authfail  audit  deny=3  unlock_time=300
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

Now open these two files with your choice of editor.

# vi /etc/pam.d/system-auth
# vi /etc/pam.d/password-auth 

The default entries in auth section both files looks like this.

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet
auth        required      pam_deny.so

After adding the above settings, it should appear as follows.

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faillock.so preauth silent audit deny=3 unlock_time=300
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        [default=die]  pam_faillock.so  authfail  audit  deny=3  unlock_time=300
auth        requisite     pam_succeed_if.so uid >= 1000 quiet
auth        required      pam_deny.so

Then add the following highlighted entry to the account section in both of the above files.

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so
account     required      pam_faillock.so

How to Lock Root Account After Failed Login Attempts

To lock the root account after failed authentication attempts, add the even_deny_root option to the lines in both files in the auth section like this.

auth        required      pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=300
auth        [default=die]  pam_faillock.so  authfail  audit  deny=3 even_deny_root unlock_time=300

Once you have configured everything. You can restart remote access services like sshd, for the above policy to take effect that is if users will employ ssh to connect to the server.

# systemctl restart sshd  [On SystemD]
# service sshd restart    [On SysVInit]

How to Test SSH User Failed Login Attempts

From the above settings, we configured the system to lock a user’s account after 3 failed authentication attempts.

In this scenario, the user tecmint is trying to switch to user aaronkilik, but after 3 incorrect logins because of a wrong password, indicated by the “Permission denied” message, the user aaronkilik’s account is locked as shown by “authentication failure” message from the fourth attempt.

Test User Failed Login Attempts

Test User Failed Login Attempts

The root user is also notified of the failed login attempts on the system, as shown in the screen shot below.

Failed Login Attempts Message

Failed Login Attempts Message

How to View Failed Authentication Attempts

You can see all failed authentication logs using the faillock utility, which is used to display and modify the authentication failure log.

You can view failed login attempts for a particular user like this.

# faillock --user aaronkilik
View User Failed Login Attempts

View User Failed Login Attempts

To view all unsuccessful login attempts, run faillock without any argument like so:

# faillock 

To clear a user’s authentication failure logs, run this command.

# faillock --user aaronkilik --reset 
OR
# fail --reset	#clears all authentication failure records

Lastly, to tell the system not to lock a user or user’s accounts after several unsuccessful login attempts, add the entry marked in red color, just above where pam_faillock is first called under the auth section in both files (/etc/pam.d/system-auth and /etc/pam.d/password-auth) as follows.

Simply add full colon separated usernames to the option user in.

auth  required      pam_env.so
auth   [success=1 default=ignore] pam_succeed_if.so user in tecmint:aaronkilik 
auth   required      pam_faillock.so preauth silent audit deny=3 unlock_time=600
auth   sufficient    pam_unix.so  nullok  try_first_pass
auth   [default=die]  pam_faillock.so  authfail  audit  deny=3  unlock_time=600
auth   requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth   required      pam_deny.so

For more information, see the pam_faillock and faillock man pages.

# man pam_faillock
# man faillock 

You might also like to read these following useful articles:

  1. TMOUT – Auto Logout Linux Shell When There Isn’t Any Activity
  2. Single User Mode: Resetting/Recovering Forgotten Root User Account Password
  3. 5 Best Practices to Secure and Protect SSH Server
  4. How to Get Root and User SSH Login Email Alerts

That’s all! In this article, we showed how to enforce simple server security by locking a user’s account after x number of incorrect logins or failed authentication attempts. Use the comment form below to share your queries or thoughts with us.

Best Affordable Linux and WordPress Services For Your Business
Outsource Your Linux and WordPress Project and Get it Promptly Completed Remotely and Delivered Online.

If You Appreciate What We Do Here On TecMint, You Should Consider:

  1. Stay Connected to: Twitter | Facebook | Google Plus
  2. Subscribe to our email updates: Sign Up Now
  3. Get your own self-hosted blog with a Free Domain at ($3.45/month).
  4. Become a Supporter - Make a contribution via PayPal
  5. Support us by purchasing our premium books in PDF format.
  6. Support us by taking our online Linux courses

We are thankful for your never ending support.

Aaron Kili

Aaron Kili is a Linux and F.O.S.S enthusiast, an upcoming Linux SysAdmin, web developer, and currently a content creator for TecMint who loves working with computers and strongly believes in sharing knowledge.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

12 Responses

  1. bread of wakanda says:

    what if i have a user who keeps entering the wrong password and keeps getting locked and every single day i have to unlock him .. is there any way by which i can keep that specific user out of pam policy so that he never gets locked but others can get locked?

  2. Akio Crimson says:

    Thanks for this info. I had to come up with something because when I logged in today, it said there were 43,945 failed login attempts to root. So clearly someone set up a server in china to try to brute force their way in. I set the unlock_time in mine to 24 hours after 2 failed attempts.

  3. shuja says:

    @josh and ravi can you please tell how to make this lock option permanent so that reboot should not clear the lock also please let me know how can i apply this policy on 100 servers easily.

  4. Josh says:

    The following will lock a user account forever. You can read the manual. I checked this and it on an account and the account is still locked. A reboot clears the lock.

    unlock_time=never
    
  5. shuja says:

    @ravi

    My objective is user account should be locked for infinite duration after 3 unsuccessful attempts. How to meet this objective

    Thanks in advance

    • Ravi Saive says:

      @Shuja,

      Then add the following configuration to lock a user for infinite time (specify higher time for the unlock_time=300).

      #%PAM-1.0
      # This file is auto-generated.
      # User changes will be destroyed the next time authconfig is run.
      auth        required      pam_env.so
      auth        required      pam_faillock.so preauth silent audit deny=3 unlock_time=300
      auth        sufficient    pam_fprintd.so
      auth        sufficient    pam_unix.so nullok try_first_pass
      auth        [default=die]  pam_faillock.so  authfail  audit  deny=3  unlock_time=300
      auth        requisite     pam_succeed_if.so uid >= 1000 quiet
      auth        required      pam_deny.so
      
  6. shuja says:

    will this configurable in RHEL 7?

    • Ravi Saive says:

      @Shuja,

      Yes, you can lock user accounts in RHEL distribution also using these instructions..

      • shuja says:

        Thanks, Ravi I did it it’s working, but wen I run the passwd -S the output doesn’t say user account is locked but I can see failock entry for the user, secondly I want to lock the user for infinite time and unlock it manually.

        How can i do that?

        • Ravi Saive says:

          @Shuja,

          To lock an account in Linux permanently, use the following command.

          # passwd -l ravi
          

          To unlock an account manually, use the following command.

          # passwd -u ravi
          
  7. Josh Roden says:

    Hi,

    In the file it says:

    "This file is auto-generated.
    User changes will be destroyed the next time authconfig is run."
    

    Is there a way to make these changes persistent?

Leave a Reply to Akio Crimson Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.