Under Linux operating system you can use the faillog command to display faillog records or to set login failure limits. faillog command displays the contents of the failure log from /var/log/faillog database file. It also can be used for maintains failure counters and limits. If you run faillog command without arguments, it will display only list of user faillog records who have ever had a login failure.
PAM Settings
I found that under RHEL / CentOS Linux 5.x, you need to modify /etc/pam.d/system-auth file. You need to configure a PAM module pam_tally.so. Otherwise faillog command will never display failed login attempts.
PAM Configuration To Recored Failed Login Attempts
pam_tally.so module maintains a count of attempted accesses, can reset count on success, can deny access if too many attempts fail. Edit /etc/pam.d/system-auth file, enter:
# vi /etc/pam.d/system-auth
Modify as follows:
auth required pam_tally.so no_magic_root
account required pam_tally.so deny=3 no_magic_root lock_time=180
Where,
- deny=3 : Deny access if tally for this user exceeds 3 times.
- lock_time=180 : Always deny for 180 seconds after failed attempt. There is also unlock_time=n option. It allow access after n seconds after failed attempt. If this option is used the user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts. Otherwise the account is locked until the lock is removed by a manual intervention of the system administrator.
- magic_root : If the module is invoked by a user with uid=0 the counter is not incremented. The sys-admin should use this for user launched services, like su, otherwise this argument should be omitted.
- no_magic_root : Avoid root account locking, if the module is invoked by a user with uid=0
Save and close the file.
How Do I Display All Failed Login Attempts For a User Called vivek?
Type the command as follows:
# faillog -u vivek
Login Failures Maximum Latest On vivek 3 0 12/19/07 14:12:53 -0600 64.11.xx.yy
Taks: Show Faillog Records For All Users
Type the following command with the -a option:
# faillog -a
Task: Lock Account
To lock user account to 180 seconds after failed login, enter:
# faillog -l 180 -u vivek
# faillog -l 180
Task: Set Maximum Number of Login Failures
The -m option is allows you to set maximum number of login failures after the account is disabled to specific number called MAX. Selecting MAX value of 0 has the effect of not placing a limit on the number of failed logins. The maximum failure count should always be 0 for root to prevent a denial of services attack against the system:
# faillog -M MAX -u username
# faillog -M 10 -u vivek
How do I Reset The Counters Of Login Failures?
The -r option can reset the counters of login failures or one record if used with the -u USERNAME option:
# faillog -r
To reset counter for user vivek, enter:
# faillog -r -u vivek
On large Linux login server, such as University or government research facility, one might find it useful to clear all counts every midnight or week from a cron job.
# crontab -e
Reset failed login recover every week:
@weekly /usr/bin/faillog -r
Save and close the file.
Recommended readings:
=> Read the pam_tally, faillog and pam man pages:
$ man pam_tally
$ man tally
$ man faillog
See also: The Linux-PAM System Administrators Guide
You should follow me on twitter here or grab rss feed to keep track of new changes.
Featured Articles:
- 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
- Top 30 Nmap Command Examples For Sys/Network Admins
- 25 PHP Security Best Practices For Sys Admins
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- Top 20 OpenSSH Server Best Security Practices
- Top 20 Nginx WebServer Best Security Practices
- 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
- 15 Greatest Open Source Terminal Applications Of 2012
- My 10 UNIX Command Line Mistakes
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- The Novice Guide To Buying A Linux Laptop
![Red Hat Enterprise Linux 5 IMPORTANT Security Update [ 4-Nov-2008 ]](http://s13.cyberciti.org/images/shared/rp/3/6.jpg)
{ 13 comments… read them below or add one }
How to enable the same setting in SuSE Linux environment?
lock_time & unlock_time options are not working on redhat 4 (2.6.9-55.0.2.ELsmp). I am getting error message “pam_tally: unknown option; unlock_time=100″ and pam_tally: unknown option; lock_time=120. We have pam version : pam-0.77-66.21. Do this version support lock_time & unlock_time options ?
one of the best sites where person like mw can get lot of knowledge
Exactly
Can we exclude PAM modules for certain groups? This is for some particular application group need to disable PAM modules .
At least for CentOS 5 the only valid options for the account phase are magic_root and no_reset, all other should be in the auth phase
Hi, i tried this to add account locked out policy in rhel 5.0 but this is not working
i go to /etc/pam.d/system-auth file and add both lines in it
auth required pam_tally.so no_magic_root
account required pam_tally.so deny=3 no_magic_root lock_time=180
after that i checked faillog -u lalit (username)
it shows faillog but when tried to check it is lock the account or not it is not working
if u have anyother way then please help me ..
Anyone have any Idea why Centos 5.2 would take every login as a failure when setting up for lockout after X failed attempts?
very good
good ……………. :)
all of the above is not working
The following worked for me,
if you’re using pam_tally use
pam_tally –reset –user
If you’re using pam_tally2, which is typical in rhel6 use
pam_tally2 -r -u
$ vi /etc/pam.d/system-auth
My file doesnt contain mentined lines;
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass nullok
#auth sufficient pam_plesk.so try_first_pass
auth required pam_deny.so
account required pam_unix.so
password required pam_cracklib.so try_first_pass retry=3
#password optional pam_plesk.so try_first_pass
password sufficient pam_unix.so try_first_pass use_authtok nullok md5
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so