This guide will show how to lock a system user’s account after a specifiable number of failed login attempts in CentOS, RHEL and Fedora distributions. Here, the focus is to enforce simple server security by locking a user’s account after consecutive number of unsuccessful authentications.
Read Also: Use Pam_Tally2 to Lock and Unlock SSH Failed Login Attempts
This can be achieved by using the pam_faillock module which helps to temporary lock user accounts in case of multiple failed authentication attempts and keeps a record of this event. Failed login attempts are stored into per-user files in the tally directory which is /var/run/faillock/ by default.
pam_faillock is part of Linux PAM (Pluggable Authentication Modules), a dynamic mechanism for implementing authentication services in applications and various system services which we briefly explained under configuring PAM to audit user login shell activity.
How to Lock User Accounts After Consecutive Failed Authentications
You can configure the above functionality in the /etc/pam.d/system-auth and /etc/pam.d/password-auth files, by adding the entries below to the auth section.
auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600 auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600
Where:
audit– enables user auditing.deny– used to define the number of attempts (3 in this case), after which the user account should be locked.unlock_time– sets the time (300 seconds = 5 minutes) for which the account should remain locked.
Note that the order of these lines is very important, wrong configurations can cause all user accounts to be locked.
The auth section in both files should have the content below arranged in this order:
auth required pam_env.so auth required pam_faillock.so preauth silent audit deny=3 unlock_time=300 auth sufficient pam_unix.so nullok try_first_pass auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=300 auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so
Now open these two files with your choice of editor.
# vi /etc/pam.d/system-auth # vi /etc/pam.d/password-auth
The default entries in auth section both files looks like this.
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet auth required pam_deny.so
After adding the above settings, it should appear as follows.
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_faillock.so preauth silent audit deny=3 unlock_time=300 auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=300 auth requisite pam_succeed_if.so uid >= 1000 quiet auth required pam_deny.so
Then add the following highlighted entry to the account section in both of the above files.
account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so account required pam_faillock.so
How to Lock Root Account After Failed Login Attempts
To lock the root account after failed authentication attempts, add the even_deny_root option to the lines in both files in the auth section like this.
auth required pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=300 auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=300
Once you have configured everything. You can restart remote access services like sshd, for the above policy to take effect that is if users will employ ssh to connect to the server.
# systemctl restart sshd [On SystemD] # service sshd restart [On SysVInit]
How to Test SSH User Failed Login Attempts
From the above settings, we configured the system to lock a user’s account after 3 failed authentication attempts.
In this scenario, the user tecmint is trying to switch to user aaronkilik, but after 3 incorrect logins because of a wrong password, indicated by the “Permission denied” message, the user aaronkilik’s account is locked as shown by “authentication failure” message from the fourth attempt.
The root user is also notified of the failed login attempts on the system, as shown in the screen shot below.
How to View Failed Authentication Attempts
You can see all failed authentication logs using the faillock utility, which is used to display and modify the authentication failure log.
You can view failed login attempts for a particular user like this.
# faillock --user aaronkilik
To view all unsuccessful login attempts, run faillock without any argument like so:
# faillock
To clear a user’s authentication failure logs, run this command.
# faillock --user aaronkilik --reset OR # fail --reset #clears all authentication failure records
Lastly, to tell the system not to lock a user or user’s accounts after several unsuccessful login attempts, add the entry marked in red color, just above where pam_faillock is first called under the auth section in both files (/etc/pam.d/system-auth and /etc/pam.d/password-auth) as follows.
Simply add full colon separated usernames to the option user in.
auth required pam_env.so auth [success=1 default=ignore] pam_succeed_if.so user in tecmint:aaronkilik auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600 auth sufficient pam_unix.so nullok try_first_pass auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so
For more information, see the pam_faillock and faillock man pages.
# man pam_faillock # man faillock
You might also like to read these following useful articles:
- TMOUT – Auto Logout Linux Shell When There Isn’t Any Activity
- Single User Mode: Resetting/Recovering Forgotten Root User Account Password
- 5 Best Practices to Secure and Protect SSH Server
- How to Get Root and User SSH Login Email Alerts
That’s all! In this article, we showed how to enforce simple server security by locking a user’s account after x number of incorrect logins or failed authentication attempts. Use the comment form below to share your queries or thoughts with us.
what if i have a user who keeps entering the wrong password and keeps getting locked and every single day i have to unlock him .. is there any way by which i can keep that specific user out of pam policy so that he never gets locked but others can get locked?
Thanks for this info. I had to come up with something because when I logged in today, it said there were 43,945 failed login attempts to root. So clearly someone set up a server in china to try to brute force their way in. I set the unlock_time in mine to 24 hours after 2 failed attempts.
@josh and ravi can you please tell how to make this lock option permanent so that reboot should not clear the lock also please let me know how can i apply this policy on 100 servers easily.
The following will lock a user account forever. You can read the manual. I checked this and it on an account and the account is still locked. A reboot clears the lock.
@Josh
Many thanks for sharing this, will read more about this, and also find out how to make the setting persistent even after a reboot.
@ravi
My objective is user account should be locked for infinite duration after 3 unsuccessful attempts. How to meet this objective
Thanks in advance
@Shuja,
Then add the following configuration to lock a user for infinite time (specify higher time for the unlock_time=300).
will this configurable in RHEL 7?
@Shuja,
Yes, you can lock user accounts in RHEL distribution also using these instructions..
Thanks, Ravi I did it it’s working, but wen I run the
passwd -Sthe output doesn’t say user account is locked but I can see failock entry for the user, secondly I want to lock the user for infinite time and unlock it manually.How can i do that?
@Shuja,
To lock an account in Linux permanently, use the following command.
To unlock an account manually, use the following command.
Hi,
In the file it says:
Is there a way to make these changes persistent?