Announcement

Lock user accounts if numbers of failed login attempts detected

This step by step guide will walk you through the steps to configure lock user accounts if predefined numbers of failed login attempts detected on linux servers. This article applies on CentOS, Red Hat Enterprise Linux and Fedora distributions.

This can be accomplished by using the pam_faillock module which helps temporarily locking user accounts if predefined numbers of consecutive failed login attempts detected and stores a record of such event. Failed login attempts are stored into per-user files in the /var/run/faillock/ directory by default.

 

Lock User Accounts if Multiple Failed Login Detected

These user account lock policies can be set up in the /etc/pam.d/system-auth and /etc/pam.d/password-auth files, by adding the following entries into the auth section.

auth    required       pam_faillock.so preauth silent audit deny=5 unlock_time=600
auth    [default=die]  pam_faillock.so authfail audit deny=5 unlock_time=600

Explanation:

    audit    –   enables user auditing.
    deny    –    used to define the number of attempts (5 in this case), after which the user
                      account should be locked.
                      unlock_time – sets the time (600 seconds = 10 minutes) for which the account
                      should remain locked.

Note: The order of these lines is highly important, bad configuration can cause all user accounts to be locked out.

The auth section in both files should have the following contents arranged in this order:

auth  required      pam_env.so
auth  required      pam_faillock.so preauth silent audit deny=5 unlock_time=600
auth  sufficient    pam_unix.so  nullok  try_first_pass
auth  [default=die] pam_faillock.so  authfail  audit  deny=5  unlock_time=600
auth  requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth  required      pam_deny.so

Now you need to edit these two files.

# vi /etc/pam.d/system-auth
# vi /etc/pam.d/password-auth 

The default entries in auth section in both files will look similar to like below.

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet
auth        required      pam_deny.so

After adding the above settings, it should appear as follows.

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth    required      pam_env.so
auth    required      pam_faillock.so preauth silent audit deny=5 unlock_time=600
auth    sufficient    pam_fprintd.so
auth    sufficient    pam_unix.so nullok try_first_pass
auth    [default=die]  pam_faillock.so  authfail  audit  deny=5  unlock_time=600
auth    requisite     pam_succeed_if.so uid >= 1000 quiet
auth    required      pam_deny.so

Then add the following highlighted entry into the account section in both of the above files.

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so
account     required      pam_faillock.so 

 

Lock Root Account if Failed Login Attempts Detected

If you want to lock the root account after multiple failed login attempts, then add the even_deny_root option to the lines in both files in the auth section as shown below.

auth    required    pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=600
auth    [default=die]    pam_faillock.so  authfail  audit  deny=3 even_deny_root unlock_time=600


When you are done with all of above steps, restart remote accessibility services like SSH to take effect the changes you have made.

# systemctl restart sshd  [On SystemD]
# service sshd restart    [On SysVInit]

 

Test User Failed Login Attempts

To test failed login settings, access your linux machines via ssh providing 5 times wrong password as we have configured the system to lock a user account after 5 failed login attempts. If you have defined all settings correctly, user will be locked out after 5 consecutive failed attempts.

 

Monitor Failed Authentication Attempts

You can monitor all failed authentication logs using the faillock command, which is used to display and modify the authentication failure log.

Execute the following command from root to view particular user's failed login attempts.

# faillock --user username

To view all unsuccessful login attempts at once, type faillock command without any argument.

# faillock 

To clear a particular user’s authentication failure logs, type the following command.

# faillock --user username --reset

To clear all failure logs at once, type the following command.

# fail --reset

If you want, not to lock a particular user or users account after multiple failed login attempts, add the following highlighted entry just above where pam_faillock is first called under the auth section in both files (/etc/pam.d/system-auth and /etc/pam.d/password-auth) like below.

Add full colon separated usernames to the option user in.

auth   required      pam_env.so
auth   [success=1    default=ignore] pam_succeed_if.so user in jhon:peter 
auth   required      pam_faillock.so preauth silent audit deny=5 unlock_time=600
auth   sufficient    pam_unix.so  nullok  try_first_pass
auth   [default=die] pam_faillock.so  authfail  audit  deny=5  unlock_time=600
auth   requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth   required      pam_deny.so


You are done.