nixCraft Poll

Topics

How to: Configure Linux to track and log failed login attempt recoreds

Posted by Vivek Gite [Last updated: May 30, 2008]

Under Linux you can use faillog command to display faillog records or to .set login failure limits. faillog formats the contents of the failure log from /var/log/faillog database / log file. It also can be used for maintains failure counters and limits. Run faillog without arguments display only list of user faillog records who have ever had a login failure.

PAM Settings

I found that under RHEL / CentOS Linux 5.x, you need to modify /etc/pam.d/system-auth file. You need to configure PAM module pam_tally.so. Otherwise faillog command will never display failed login attempts.

PAM Configuration to recored failed login attempts

pam_tally.so module maintains a count of attempted accesses, can reset count on success, can deny access if too many attempts fail.
Open /etc/pam.d/system-auth file:

# vi /etc/pam.d/system-auth
Append following two pam_tally.so modules:
auth required pam_tally.so no_magic_root
account required pam_tally.so deny=3 no_magic_root lock_time=180

Where,

Save and close the file.

How do I display all failed login attempts for user vivek?

You need to use faillog command to display faillog records:
# faillog -u vivek

Login       Failures Maximum Latest                   On
vivek           3        0   12/19/07 14:12:53 -0600  64.11.xx.yy

Display faillog records for all users.

Use the -a option:
# faillog -a

How do I reset the counters of login failures?

The -r option can reset the counters of login failures or one record if used with the -u USERNAME option:
# faillog -r
# faillog -r -u vivek <-- only reset counter for vivek user

On large Linux login server, such as University or government research facility, one might find it useful to clear all counts every midnight or week from a cron job.
# crontab -e
Reset failed login recover every week:
@weekly /usr/bin/faillog -r
Save and close the file.

Recommended readings:

=> Read the pam_tally, faillog and pam man pages:
$ man pam_tally
$ man tally
$ man faillog

=> The Linux-PAM System Administrators Guide

Continue reading rest of the Linux pam_tally - login counter Configuration series.

Contents
  1. How to: Configure Linux to track and log failed login attempt recoreds
  2. Linux How do I display failed login attempt?
  3. Linux Failed Login Control: Lock and Unlock User Accounts Using PAM

Want to stay up to date with the latest Linux tips, news and announcements? Subscribe to our free e-mail newsletter or RSS feed to get all updates. You can Email this page to a friend.

You may also be interested in other helpful articles:

Discussion on This Article:

  1. Atanu Banerjee Says:

    How to enable the same setting in SuSE Linux environment?

  2. Vasudeva Says:

    lock_time & unlock_time options are not working on redhat 4 (2.6.9-55.0.2.ELsmp). I am getting error message “pam_tally: unknown option; unlock_time=100″ and pam_tally: unknown option; lock_time=120. We have pam version : pam-0.77-66.21. Do this version support lock_time & unlock_time options ?

  3. vijay mane Says:

    one of the best sites where person like mw can get lot of knowledge

  4. Vasudeva Says:

    Can we exclude PAM modules for certain groups? This is for some particular application group need to disable PAM modules .

Leave a Reply

We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Thank you very much for stopping by our site!

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Click to hear an audio file of the anti-spam word

Tags: , , , , , , , , , , , , , , , ,

Copyright © 2004-2008 nixCraft. All rights reserved - TOS/Disclaimer - Privacy policy - Sitemap - Powered by Open source software.