The pam_tally2 module, once used to lock user accounts after a certain number of failed SSH login attempts, has been deprecated and replaced by pam_faillock in RHEL-based distributions and other modern Linux distributions, due to more flexibility and security options.
Previously, the pam_tally2 module was responsible for counting failed login attempts and locking accounts. However, as part of security improvements, pam_faillock has become the standard for managing failed login attempts in newer Linux versions by providing better integration and more configuration options.
Transition from pam_tally2 to pam_faillock
While pam_tally2 consisted of two parts – pam_tally2.so and the pam_tally2 command – it has been phased out in favor of pam_faillock, which is designed to handle login attempts in a more secure and flexible way.
pam_faillock offers similar functionality but with improvements such as:
- Enhanced logging and reporting of failed attempts.
- Better handling of account lockout policies.
- Support for configurable limits on failed login attempts and automatic account unlocking after a timeout.
This article demonstrates how to configure SSH account lockouts using the pam_faillock module after a certain number of failed login attempts.
How to Lock and Unlock User Accounts with pam_faillock
Open the both PAM configuration files /etc/pam.d/password-auth and /etc/pam.d/sshd, depending on your system and the service you’re configuring.
sudo vi /etc/pam.d/password-auth sudo vi /etc/pam.d/sshd
Add the following lines to the beginning of the auth section to configure failed login attempt policies:
auth required pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=1200 auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=1200
Add the following line to the account section to enable account management for login failures:
account required pam_faillock.so
Explanation of Parameters:
deny=3: Deny access after 3 failed attempts.even_deny_root: Apply the policy to the root user as well.unlock_time=1200: Automatically unlock the account after 20 minutes (1200 seconds). Remove this option if you want the account to remain locked until manually reset.audit: Logs failed login attempts to the system audit log.
Now open the /etc/security/faillock.conf file and specify how many failed attempts will trigger a lockout and the duration of the lockout period.
# Number of allowed failures before lockout deny = 5 # Lockout duration in minutes unlock_time = 15 # Path to the faillock database # Optional: You can specify where to store faillock information # faillock_path = /var/lib/faillock
Next, open the /etc/ssh/sshd_config file and enable the following setting to use PAM for SSH authentication.
UsePAM yes
To apply the changes, restart the SSH service:
sudo systemctl restart sshd
How to Test SSH Account Lockout Functionality
After saving the above configuration, you can test the login lockout mechanism by making 3 failed login attempts to the SSH server.
ssh [email protected] [email protected]'s password: Permission denied, please try again. [email protected]'s password: Permission denied, please try again. [email protected]'s password: Account locked due to 3 failed logins
How to Check User SSH Login Failures
To check the failed login attempts for a specific user, use the following command:
sudo faillock --user username
Example output:
Login Failures Latest failure From user 3 10/17/2024 14:15 192.168.0.5
How to Reset or Unlock a User Account
To reset the failed attempts and unlock the user account, use the following command:
sudo faillock --user username --reset
This command clears the failed attempt count and unlocks the user.
Verifying User Account is Unlocked
You can confirm that the account is unlocked by running the faillock command again:
sudo faillock --user username
If there are no failed login attempts, the output will be empty, indicating that the user account is unlocked.
Conclusion
In conclusion, the pam_faillock module provides an improved and more secure way to manage failed login attempts, replacing the now-deprecated pam_tally2. Make sure to update your PAM configuration files to use pam_faillock to stay current with best practices and security standards.
For more information, you can use the man pam_faillock from the command line.
man pam_faillock
I have a requirement that I need to add 2 new users in a Rhel 7.x. On the first 60 days only they need Sudo/privileged access and after the standard user Access is enough. How to fulfill the same.
This worked like a charm to unlock a locked account due to excessive failed logons!
However in a RHEL 5.11 server pam_tally2 seems not working well as pam_tally does, which means I have to use pam_tally to unlock such an account.
This save me yesterday in a critical situation :)
Hey,
I dont have password-auth file in the box. Can I update system-auth?
@Garima,
How come that possible, every Linux distro must have password-auth file, may I know which Linux distributions you’re using? or else please check /etc/pam.d/ directory exits on the server with all PAM configuration files?
Hey,
I have system-auth file instead if password-auth. But the commands mentioned above are not working.
Any pointers to that. I am using RHEL 5.4.
Hi,
Any idea why the changes are not seen when I have updated the file.
@Garima,
Sorry no idea about system-auth file as you’re using older version of RHEL, I never worked on RHEL 5, so better you should follow this guide, might be helpful to you..
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/Configuration_Options-PAM_Configuration_Options.html
I thought I was going crazy! My password was not locked in /etc/shadow and I was sure I was entering the right password. Thanks!
Thanks, it works for me
Thanks, it works in 6.5.
I appreciate the information! It really helped with configuring the account lock. I’m curious on how you were able to configure the lockout message, however.
Account locked due to 4 failed logins
Unlike the above, I’m getting the standard “Access Denied” error.
very nice…
It helps my team a lot….
on our setup on RHEL6.4, though the account gets locked, however the message is not informative. It is just showing the error message “access denied”
I have the same problem. It will lock the account successfully, however it will not provide information on this to the user. Were you able to figure out how to set the access denied error to something more like:
Account locked due to 4 failed logins
thanks :) it worked ..
On RHEL 6.4 it is counting failes, but never locks.
I haven’t tried out in 6.4, will try and update you.
On my setup it works on RHEL 6.4. The count of failed log attemps is done OK, it resets itselfs if the user success before account lockdown, and the account locks itself if fail count reaches max deny count.
The only thing I can’t manage to do from now, is to have the reason of login deny printed (like it is shown in the article)
Can you post your setup? I have basically copy pasted what is written in the article and everything works as described accept locking the account.
Let me check again, why the locking not working on accounts. Will update the article.
Can you say “denial of service”. I am sure you can. Can you say automated denial of service meaning that the unlock provison is completely useless I am sure you can too.
If you are worried about brute force password cracking the way to go is
1) Long, hard to guess password
2) Setting alerts about failed logins and ensuring they are not lost in “noise”
3) Port knocking