Under CentOS Linux it is possible to lock out a user login after failed login attempts. This is a security feature. You can also automatically unlock account after some time.
pam_tally - login counter (tallying) module
This module maintains a count of attempted accesses, can reset count on success, can deny access if too many attempts fail.
/etc/pam.d/system-auth
Use /etc/pam.d/system-auth configuration file to configure attempted login accesses and other related activities. Append following AUTH configuration to /etc/pam.d/system-auth file:
auth required pam_tally.so onerr=fail deny=5 unlock_time=21600
Where,
(a)deny=5 - Deny access if tally for this user exceeds 5 times.
(b) unlock_time=21600 - Allow access after 21600 seconds (6 hours) after failed attempt. If this option is used the user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts. Otherwise the account is locked until the lock is removed by a manual intervention of the system administrator.
(c) onerr=fail - If something weird happens (like unable to open the file), return with PAM_SUCESS if onerr=succeed is given, else with the corresponding PAM error code.
Default file /var/log/faillog is used to keep login counts.
The above PAM module is part of all Linux distribution and configuration should work with any Linux distribution.
See also:
- man pages faillog, pam.conf, pam.d, pam, and pam_tally
- pam_tally - login counter (tallying) module documentation.
- CentOS Linux project
You should follow me on twitter here or grab rss feed to keep track of new changes.
Featured Articles:
- 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
- Top 30 Nmap Command Examples For Sys/Network Admins
- 25 PHP Security Best Practices For Sys Admins
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- Top 20 OpenSSH Server Best Security Practices
- Top 20 Nginx WebServer Best Security Practices
- 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
- 15 Greatest Open Source Terminal Applications Of 2012
- My 10 UNIX Command Line Mistakes
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- The Novice Guide To Buying A Linux Laptop
{ 5 comments… read them below or add one }
From the top of /etc/pam.d/system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
Is there another place these options should be set so that authconfig does not clobber them? Right now, as a work around, I am going to `chattr +i /etc/pam.d/system-auth`.
Thanks,
Aaron
Aaron C, Just edit this file and do not use authconfig.
It should be noted this will not effect for ssh remote login. You should put it in `sshd’ pam config file for this.
“Append following AUTH configuration to /etc/pam.d/system-auth file”
This does not work. I have tested it. Even if the fails are recorded, login is not denied at all. The modules are tried in the order list. You have to prepend it before any ‘auth’ to use it.
Another note, we should be using the newer pam_tally2.so module.
pam_tally tool shows number of bad attempts by a user by using /var/log/faillog database. And after lockout time expires, with a correct login attempt count gets cleared. can someone tell me is there any way I can clear tally account automatically after the lockout time expires for a user.
I want to clear tally automatically once lockout time expires, don’t want to wait for user to login again with correct credentials.
Any help is highly appreciated.
Thanks
Before doing this have a quick look in /lib64/security and check that there is a pam_tally.so file in there as you may need to use pam_tally2.so instead.
If in doubt add the line:
auth sufficient pam_tally.so onerr=fail deny=5 unlock_time=21600
to the system-auth file instead, then su or login in and check /var/log/secure for error messages.
You can change the sufficient to required if pam isn’t reporting errors.
That should save you getting locked out of the root account…