The pam_tally2
module, once used to lock user accounts after a certain number of failed SSH login attempts, has been deprecated and replaced by pam_faillock
in RHEL-based distributions and other modern Linux distributions, due to more flexibility and security options.
Previously, the pam_tally2
module was responsible for counting failed login attempts and locking accounts. However, as part of security improvements, pam_faillock
has become the standard for managing failed login attempts in newer Linux versions by providing better integration and more configuration options.
Transition from pam_tally2 to pam_faillock
While pam_tally2
consisted of two parts – pam_tally2.so
and the pam_tally2
command – it has been phased out in favor of pam_faillock
, which is designed to handle login attempts in a more secure and flexible way.
pam_faillock
offers similar functionality but with improvements such as:
- Enhanced logging and reporting of failed attempts.
- Better handling of account lockout policies.
- Support for configurable limits on failed login attempts and automatic account unlocking after a timeout.
This article demonstrates how to configure SSH account lockouts using the pam_faillock
module after a certain number of failed login attempts.
How to Lock and Unlock User Accounts with pam_faillock
Open the both PAM configuration files /etc/pam.d/password-auth
and /etc/pam.d/sshd
, depending on your system and the service you’re configuring.
sudo vi /etc/pam.d/password-auth sudo vi /etc/pam.d/sshd
Add the following lines to the beginning of the auth
section to configure failed login attempt policies:
auth required pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=1200 auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=1200
Add the following line to the account
section to enable account management for login failures:
account required pam_faillock.so
Explanation of Parameters:
deny=3
: Deny access after 3 failed attempts.even_deny_root
: Apply the policy to the root user as well.unlock_time=1200
: Automatically unlock the account after 20 minutes (1200 seconds). Remove this option if you want the account to remain locked until manually reset.audit
: Logs failed login attempts to the system audit log.
Now open the /etc/security/faillock.conf
file and specify how many failed attempts will trigger a lockout and the duration of the lockout period.
# Number of allowed failures before lockout deny = 5 # Lockout duration in minutes unlock_time = 15 # Path to the faillock database # Optional: You can specify where to store faillock information # faillock_path = /var/lib/faillock
Next, open the /etc/ssh/sshd_config
file and enable the following setting to use PAM for SSH authentication.
UsePAM yes
To apply the changes, restart the SSH service:
sudo systemctl restart sshd
How to Test SSH Account Lockout Functionality
After saving the above configuration, you can test the login lockout mechanism by making 3 failed login attempts to the SSH server.
ssh [email protected] [email protected]'s password: Permission denied, please try again. [email protected]'s password: Permission denied, please try again. [email protected]'s password: Account locked due to 3 failed logins
How to Check User SSH Login Failures
To check the failed login attempts for a specific user, use the following command:
sudo faillock --user username
Example output:
Login Failures Latest failure From user 3 10/17/2024 14:15 192.168.0.5
How to Reset or Unlock a User Account
To reset the failed attempts and unlock the user account, use the following command:
sudo faillock --user username --reset
This command clears the failed attempt count and unlocks the user.
Verifying User Account is Unlocked
You can confirm that the account is unlocked by running the faillock command again:
sudo faillock --user username
If there are no failed login attempts, the output will be empty, indicating that the user account is unlocked.
Conclusion
In conclusion, the pam_faillock
module provides an improved and more secure way to manage failed login attempts, replacing the now-deprecated pam_tally2
. Make sure to update your PAM configuration files to use pam_faillock
to stay current with best practices and security standards.
For more information, you can use the man pam_faillock
from the command line.
man pam_faillock