Lock User Account After n Failed Login attempts in Linux
Abstract: [[email protected] ~]# vi /etc/pam.d/password-auth [[email protected] ~]# vi /etc/pam.d/system-auth After making changes in both the files[[email prot
Linux Server hardening is one of the important task for sysadmins when it comes to production servers. It is recommended that one should enable login or ssh attempts policy, means user’s account should be locked automatically after n numbers of failed (or incorrect) login or ssh attempts.
In Linux distribution like CentOS, RHEL and Fedora this is achieved by using pam module 「pam_faillock」 and for Debian like distributions, this can be achieved using 「pam_tally2」 pam module.
In this tutorial we will learn how to lock user accounts after n failed login attempts in CentOS , RHEL, Fedora, Debian & Ubuntu
For CentOS / RHEL / FedoraAdd the following lines in two files /etc/pam.d/password-auth & /etc/pam.d/system-auth,
auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600 auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 account required pam_faillock.so
Where,
- Audit –> it will enable audit logs for user login attempt in secure log file
- Deny=3 –> it will lock the user after 3 unsuccessful login attempts, you can change this number as per your requirement
- unlock_time=600 –> it means user’s account will remain locked for 10 minutes (600 seconds), if you want user account to be locked forever then set this parameter as 「unlock_time=never「
Note: To lock root account as well after n incorrect logins, add 「even_deny_root」 parameter in auth section lines, example is shown below
auth required pam_faillock.so preauth silent audit even_deny_root deny=3 unlock_time=600 auth [default=die] pam_faillock.so authfail audit even_deny_root deny=3 unlock_time=600
As we can see above, we have two lines for auth section and one line for account section, order is very important while adding these lines to the files. Example is demonstrated below where these lines needs to be added,
[[email protected] ~]# vi /etc/pam.d/password-auth
[[email protected] ~]# vi /etc/pam.d/system-auth
After making changes in both the files, restart the ssh service using below systemctl command,
[[email protected] ~]# systemctl restart sshd
Let’s do the testing whether user account will be locked after three unsuccessful login attempts or not.
Let’s assume we have a local account with name 「pkumar「, we will try to ssh our Linux system with this account with incorrect passwords,
$ ssh [email protected] [email protected]'s password: [email protected]'s password: [email protected]'s password: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
Now view secure logs using tail command,
[[email protected] ~]# tail /var/log/secure
Above logs confirms that account has been locked after three incorrect login attempts, let’s verify from faillock command as well,
[[email protected] ~]# faillock --user pkumar pkumar: When Type Source Valid 2019-12-15 01:50:39 RHOST 192.168.29.157 V 2019-12-15 01:50:43 RHOST 192.168.29.157 V 2019-12-15 01:50:47 RHOST 192.168.29.157 V [[email protected] ~]#
To flush or clear these unsuccessful login attempts, execute the following faillock command,
[[email protected] ~]# faillock --user pkumar --reset [[email protected] ~]# faillock --user pkumar pkumar: When Type Source Valid [[email protected] ~]#
Let’s move to Debian like distribution (Ubuntu, Linux Mint and Debian)
For Debian, Ubuntu and Linux MintAdd the following line in the file 「/etc/pam.d/common-auth」,
auth required pam_tally2.so onerr=fail deny=3 unlock_time=600 audit
if you wish to lock root account as well after three incorrect logins then add the following line ,
auth required pam_tally2.so onerr=fail deny=3 unlock_time=600 audit even_deny_root root_unlock_time=600
Where:
- Onerr=fail –> In case of error issue a fail
- deny=3 –> After three unsuccessful login attempts account will be locked
- unlock_time=600 –> It means account will remain locked for 10 minutes or 600 seconds
- audit –> It means audit the logs in audit.log file
- even_deny_root –> Lock the root account after three incorrect logins
- root_unlock_time=600 –> Root account will remain locked for 10 minutes or 600 seconds after 3 unsuccessful login attempts
Let’s add above discuss line in file 「/etc/pam.d/common-auth」 using vi editor,
[email protected]:~$ sudo vi /etc/pam.d/common-auth
After making the above changes, save and exit the file and restart ssh service using following command,
[email protected]:~$ sudo systemctl restart sshd
Let’s test whether accounts are locked after 3 incorrect ssh logins,
Let’s assume we have a local 「devops」 user, we will try to ssh the Ubuntu system with incorrect passwords
$ ssh [email protected] [email protected]'s password: [email protected]'s password: d [email protected]'s password: Permission denied (publickey,password).
Now view auth log file to see whether incorrect login attempts are captured or not,
[email protected]:~$ tail /var/log/auth.log
Above logs confirms that account has been locked, let’s verify from pam_tally2 command,
[email protected]:~$ sudo pam_tally2 -u devops Login Failures Latest failure From devops 6 12/15/19 07:45:02 192.168.29.157 [email protected]:~$
To clear these unsuccessful login attempts use the following pam_tally2 command,
[email protected]:~$ sudo pam_tally2 -u devops --reset Login Failures Latest failure From devops 6 12/15/19 07:45:02 192.168.29.157 [email protected]:~$ [email protected]:~$ sudo pam_tally2 -u devops Login Failures Latest failure From devops 0 [email protected]:~$
That’s conclude the article, please don’t hesitate to share the feedback and comments.
Read Also : How to Enforce Password Policies in Linux (Ubuntu / CentOS)
