Ubuntu 20.04 – Release Date, New Features & More

Ubuntu 20.04 is the latest long-awaited LTS (Long Term Support) release of Ubuntu. This page will be regularly updated with 20.04’s new features, release date, and more information. Ubuntu 20.04’s Release Date and Schedule As per usual, Ubuntu’s LTS releases are released in April every 2 years. The number 20 comes from the year 2020 […]


from ThisHosting.Rocks…

Read More

20 ps Command Examples to Monitor Linux Processes

Monitoring your Linux system is on the most quintessential processes that any Linux user or a systems administrator needs to carry out round the clock to ensure the system is running smoothly and avoid bottle-necks. Linux ships with a few built-in tools that can help you monitor your system. One of these is the ps command that specifically monitors the running processes and among other metrics associated with the processes such as percentage CPU and memory utilization. The ps command reads the /proc filesystem found in virtual machines.

In this guide, we dive deeper and let you on 20 of the most commonly used ps commands.

1) Listing Process in the Shell

The simplest form of the ps command lists the running processes in the current shell. This can be illustrated below.

[[email protected] ~]$ ps
 PID TTY          TIME CMD
 1437 pts/0    00:00:00 bash
 1465 pts/0    00:00:00 ps
[[email protected] ~]$

Let’s define a few terms:

  • PID: This is the Process ID.
  • TTY: This refers to the terminal that started and is controlling the process.
  • TIME: This is the time / cumulative time that a process has run for.
  • CMD: Name of the command that started the process.

2) Listing processes associated with a terminal

This is much like the listing the processes in the shell. To list the processes associated with the terminal you are currently running, execute the command:

[[email protected] ~]$ ps -T
 1437  1437 pts/0    00:00:00 bash
13357 13357 pts/0    00:00:00 ps
[[email protected] ~]$

3) Displaying all the running processes on your system

To get an overview of all the running processes on your Linux system use the -A flag as shown:

[[email protected] ~]$ ps -A


Alternatively, you can also use the -e flag as shown. You’ll still get similar results.

[[email protected] ~]$ ps -e

4) Displaying output in BSD format

To list the processes in BSD format, run the command

$ ps -aux

Let’s break down the command:

The -a flag instructs ps to display all the processes from all the users. This, however, excludes the processes associated with a specific terminal.

The -u flag implies a user-oriented format. It provides more detailed information associated with the running processes.

The x flag lists processes that are usually started upon a system boot as well as background processes.



  • USER – This specifies the user running the process
  • PID – This is the Process ID of the process
  • %CPU – This it the percentage CPU usage of each process
  • %MEM – This is the % of the physical memory used up by the process
  • VSZ – This is the size of virtual memory of each process in kilobytes
  • RSS – This is the size/amount of physical memory being used by a process
  • STAT – This points to the process state code e.g S (sleeping) Z (zombie) and R (Running)
  • START – This is the time the process started running

5) Displaying output in UNIX format

If you wish to display the output in UNIX format , then execute  the ps command with a combination of -ef flags

[[email protected] ~]$ ps -ef

The -e flag tells the ps command to list all the processes

The -f flag (full format) instructs the …

Read More

How to Sync Time in Linux Server using Chrony

Time plays an important role in Linux servers specially when they are used in banking, stock markets and other financial sectors. If we want all our Linux servers should have the correct time, then we must configure some NTP client which will fetch correct time always from remote NTP Servers and if needed makes the required adjustments for syncing the time.

In this article we will demonstrate how we can sync time with NTP servers in Linux Server using Chrony (NTP Client).

Install Chrony on CentOS / RHEL / Fedora System

To Install Chrony on  CentOS, RHEL and Fedora System, execute the following yum or dnf commad

~]# yum install chrony -y
~]# dnf install chrony -y

Install Chrony on Debian / Ubuntu System

To install Chrony on Debian and Ubuntu Systems, run the following apt command,

~]$ sudo apt install chrony -y

Once the chrony is installed on Linux server then it offers two programs,

  • chronyc : It is command line interface of chrony
  • chronyd : It is daemon for chrony which start and enable chrony service across the reboot.

Configuration File of Chrony

Configuration file for Chrony is “/etc/chrony.conf” , sample chrony.conf file is listed below,

~]# cat  /etc/chrony.conf



  • pool iburst is the remote NTP server from where chrony will fetch the time.
  • driftfile /var/lib/chrony/drift is the drift file which contains drift data
  • makestep 1.0 3 is the parameter which will step system clock (speedup or slow down) if adjustment is larger than 1 second but only for first 3 clock updates
  • keyfile /etc/chrony.keys as the name suggest this file contains keys for NTP authentication.
  • logdir /var/log/chrony , it is the log file which logs of Chrony.

Testing Chrony

Just like ntpdate command in NTP distribution, we can use chronyd to sync time of our Linux server with remote NTP server manually,

Syntax: # chronyd -q ‘server {ntp_server_name} iburst’


~]# chronyd -q 'server iburst'


As we can see in above output, chrony has corrected the system time, before running the chronyd command system time was almost 2 hours behind from accurate time.

Start and Enabled Chronyd Service

Run the following commands to start and enable chronyd daemon so that it will be available across the reboots.

~]# systemctl start chronyd

~]# systemctl enable chronyd

Run the beneath command to verify the chronys service status

~]# systemctl enable chronyd


Verify and Track Chrony Synchronization

To verify whether your system’s time is synchronized using chrony, issue the following command,

[[email protected] ~]# chronyc tracking
Reference ID    : 904C13DD (
Stratum         : 3
Ref time (UTC)  : Sun Jan 12 06:23:26 2020
System time     : 0.000174314 seconds slow of NTP time
Last offset     : -0.000199483 seconds
RMS offset      : 0.000199483 seconds
Frequency       : 0.301 ppm fast
Residual freq   : -40.403 ppm
Skew            : 0.541 ppm
Root delay      : 0.172664896 seconds
Root dispersion : 0.047364954 seconds
Update interval : 64.8 seconds
Leap status     : Normal
[[email protected] ~]#


  • Reference ID is the ID and name of server to which your system’s time currently synced.
  • Stratum , it indicates the number of hops away from the server with an attached reference clock we are.

Check Chrony Sources

To list information about the current time sources that the …

Read More

How to Integrate Grafana with Prometheus for Monitoring

Grafana is a free and opensource tool for querying, analyzing and visualizing metrics from an array of multiple data sources whether physical or from the cloud. With Grafana, you can create, explore and share beautiful and intuitive dashboards from different data sources without a hassle. Some of the data sources it connects with include MySQL server, Graphite, PostgreSQL, InfluxDB, Elasticsearch, and Prometheus. In this guide, we will demonstrate how you can integrate Prometheus with Grafana. But first, we are going to Install Grafana. Check out our previous topic to see how you can install Prometheus on CentOS 8.

Installing Grafana on CentOS 8 / RHEL 8

We are going to install Grafana from the YUM/ DNF repository as it is much easier compared to downloading and running the .rpm package.

Step 1) Enable the DNF (or Yum) repository for Grafana

To begin with, add Grafana’s yum repository by creating a repository file as shown as root user

[[email protected] ~]# vi /etc/yum.repos.d/grafana.repo

save and exit the file

Run below dnf command to view all enabled package repositories, in the output we should see Grafana repository too.

[[email protected] ~]# dnf repolist


Step 2)  Install Grafana Monitoring tool

To install Grafana, use the DNF package manager as follows:

[[email protected] ~]# dnf install grafana -y

You can verify that Grafana is installed using the rpm command as shown

[[email protected] ~]# rpm -qa | grep grafana
[[email protected] ~]#

To gather more information about Grafana such as the version, architecture and license, run the command:

[[email protected] ~]# rpm -qi grafana


Step 3) Start and enable Grafana service

With Grafana successfully installed, we need to start the Grafana service and ensure it is running. So to start Grafana, run the command:

[[email protected] ~]# systemctl daemon-reload
[[email protected] ~]# systemctl start grafana-server

To enable Grafana on boot run:

[[email protected] ~]# systemctl enable grafana-server

You can verify that Grafana is running by executing the command:

[[email protected] ~]# systemctl status grafana-server


Additionally, you can use the netstat command to verify if Grafana is listening on its default port, which is port 3000.


Step 4) Open the port for Grafana in the Firewall

If you have a firewall running on your system, you need to allow port 3000 for external users to access Grafana on the browser. To open port 3000, execute the command:

[[email protected] ~]# firewall-cmd --add-port=3000/tcp --permanent
[[email protected] ~]#

Then reload the firewall to effect the changes

[[email protected] ~]# firewall-cmd --reload
[[email protected] ~]#

Step 5) Accessing Grafana

With all the configuration done, head over to your browser and visit your Grafana server’s URL as shown:  http://server-ip:3000/


Login using the default credentials as shown:

  • Username: admin
  • Password: admin

Grafana will then prompt you to set a strong password for obvious reasons. Type the new password and confirm it and finally click on the ‘Save’ button to save the changes made to your password.


This ushers you to Grafana’s dashboard.


We have successfully installed the Grafana monitoring server. Now it’s time to switch gears and integrate Grafana with the Prometheus server which we installed in our last topic.

Integrate Grafana with Prometheus for Monitoring

While Prometheus can display accurate system metrics, Grafana …

Read More

How to Install Prometheus on CentOS 8 / RHEL 8

Prometheus is an open source monitoring, querying and alerting tool. Originally built by Soundcloud in 2012, the feature-rich tool has been adopted by several companies to monitor their IT infrastructure and ensure all systems are running smoothly. Prometheus allows you to query and pull time-series metrics such as CPU & memory utilization over HTTP protocol and visualize them on real-time graphs. You can also configure Prometheus to push alerts in the event of a node or service downtime and integrate it with other third-party monitoring tools such as Grafana for enhanced data visualization. In this guide, we will look at the installation of Prometheus on the CentOS 8 /RHEL 8 system.

Step:1) Creating a Prometheus user and group

To start off, we are going to create a system user for Prometheus. Execute the command below to achieve this.

[[email protected] ~]# useradd -m -s /bin/false prometheus
[[email protected] ~]# id prometheus
uid=1002(prometheus) gid=1002(prometheus) groups=1002(prometheus)
[[email protected] ~]#

As you may have noted, the system user has no login permissions as specified in the /bin/false option

Step 2) Creating configuration directories for Prometheus

Once the user for Prometheus has been created, we are then going to create configuration directories in the /etc and /var directories which will store Prometheus configuration files and data. So run the commands below:

[[email protected] ~]# mkdir /etc/prometheus
[[email protected] ~]# mkdir /var/lib/prometheus

Set the ownership on /var/lib/prometheus

[[email protected] ~]# chown prometheus /var/lib/prometheus/

Step 3) Downloading Prometheus tar file

With the directories in place, we can now download the Prometheus. To get the latest version, head out to the Download page to obtain the latest version for your environment. At the time of penning down this article, the latest version was v 2.14.0. Alternatively, just run the command below

[[email protected] ~]# dnf install wget -y
[[email protected] ~]# wget -P /tmp

Once the download is complete, extract the tarball file as shown

[[email protected] tmp]# tar -zxpvf prometheus-2.14.0.linux-amd64.tar.gz

This will leave you with a directory called prometheus-2.14.0.linux-amd64

Use tree command to view directory structure,


The extracted directory contains 2 binary files  prometheus & promtool and that we need to copy to the /usr/local/bin path.

So, navigate to the extracted directory and copy them using the command:

[[email protected] ~]# cd /tmp/prometheus-2.14.0.linux-amd64
[[email protected] prometheus-2.14.0.linux-amd64]# cp prometheus  /usr/local/bin

Do likewise to the other binary file

[[email protected] prometheus-2.14.0.linux-amd64]# cp promtool  /usr/local/bin

Step 4) Creating a configuration file for Prometheus

To start off with the configuration, create a file /etc/prometheus/prometheus.yml and paste the configuration in the file

[[email protected] ~]# vi /etc/prometheus/prometheus.yml
# Global config
  scrape_interval:     15s # Set the scrape interval to every 15 seconds. Default is every 1 minute. 
  evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute. 
  scrape_timeout: 15s  # scrape_timeout is set to the global default (10s).
# A scrape configuration containing exactly one endpoint to scrape:# Here it's Prometheus itself.
  # The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
  - job_name: 'prometheus'
    # metrics_path defaults to '/metrics'
    # scheme defaults to 'http'.
    - targets: ['localhost:9090']

This will only monitor your local system only ( Prometheus Server).

Next, adjust the firewall as follows to allow external connections to the server via port 9090

[[email protected] ~]# firewall-cmd 
Read More

How to Setup DNS Server (Bind) on CentOS 8 / RHEL8

Developed in the 80’s by students at Berkeley University, BIND (Berkeley Internet Name Domain) is an open source DNS server that provides DNS services on Linux distributions. So, what is a DNS server ? A DNS server is a service that helps to resolve a fully qualified domain name (FQDN) into an IP address and additionally, perform a reverse translation- translation of an IP address to a user-friendly domain name.

Why is name resolution important? Well, computers locate services on servers using IP addresses. However, IP addresses are not as user-friendly as domain names and it would be a big headache trying to remember each IP address that is associated with every domain name. A DNS server steps in and helps to resolve these domain names to computer IP addresses.

This guide walks you through the process of setting up a DNS bind server on CentOS 8 / RHEL 8.

Lab setup:

  • Server :            CentOS 8 (minimal server)
  • IP address :
  • Hots Name :   dns-primary.linuxtechi.local
  • Domain :         linuxtechi.local

Let’s now hit the ground running with the configuration of the DNS bind server.

Step 1: Install bind DNS on CentOS 8 / RHEL 8

We begin with the installation of the bind and bind-utils package. These packages constitutes dns server and its utilities responsible for querying name servers or DNS servers.

Execute the command:

# dnf install bind bind-utils


Once successfully installed, start the DNS server using the command below:

# systemctl start named

Next, enable it so that it can kick in even after a reboot

# systemctl enable named

Just to be sure that the service is running as expected, check its status

# systemctl status named


Great, the DNS server is running just perfectly. Now let’s jump into configuring the Bind DNS server

Step 2:  Configure bind DNS server

Usually, best practice recommends making a backup of a configuration file before making any changes. This is so that should anything go wrong, we can always revert to the original unedited file. And it’s no different here.

Let’s take a backup of the config file  /etc/named.conf

# cp /etc/named.conf  /etc/named.bak

Now go ahead and open the file using your preferred text editor. In this case, we’re using vim editor.

# vim /etc/named.conf

Under the ‘Options’  section, ensure you comment out the lines indicated below to enable the Bind DNS server to listen to all IPs.

// listen-on port 53 {; }; 
// listen-on-v6 port 53 { ::1; };

Additionally, locate the allow-query parameter and adjust it according to your network subnet.

allow-query { localhost;; };


This setting allows only the hosts in the defined network to access the DNS server and not just any other host.

A forward lookup DNS zone is one that stores the host name ip address relationship. When queried, it gives the IP address of the host system using the host name. In contrast, the reverse DNS zone returns the Fully Qualified Domain Name (FQDN) of the server in relation to it’s IP address.

To define the reverse and forward lookup zones, copy and paste the following configuration at the end of /etc/named.conf

//forward zone
zone "linuxtechi.local" IN {
     type master;
     file "linuxtechi.local.db";
     allow-update { none; 
Read More

How to Boot CentOS 8 / RHEL 8 Server in Single User Mode

For day to day operations tasks, sometimes Linux geeks have to boot Linux server in single user mode for recovering the root password, repairing file system errors, fixing incorrect entry of fstab and disabling or enabling systemctl services.

Single user mode is the maintenance or emergency mode where Linux geeks perform all troubleshooting steps. In Single user mode all the system services are stopped and only root user is allowed to execute commands. In this article we will demonstrate on how to boot CentOS 8 / RHEL 8 server into a single user mode and perform troubleshooting steps.

There are two ways to boot CentOS 8 and RHEL 8 server in Single User Mode

Method 1) Using “rd.break” keyword

Step:1) Reboot Your CentOS 8 or RHEL 8 Server and go to grub boot loader screen by interrupting auto boot and choose first line which includes the kernel (In case you have multiple kernel lines choose the appropriate one which suits to your environment). Below is the CentOS 8 boot loader screen,


Step:2) Press ‘e’ to enter in the edit mode and then go to the end of line which starts with ‘linux‘ word, type the keyword “rd.break


now press Ctrl-x to boot system in single user mode then we will get below screen,


Step:3) Remount the /sysroot in read-write (rw) mode

Run the following commands to mount sysroot file system in rw,

switch_root:/# mount -o remount,rw /sysroot
switch_root:/# chroot /sysroot

As we can see above that we got ‘sh’ shell prompt, now root user can execute the commands.

Let’s assume we want to recover root password by resetting it, so execute following commands one after the another

sh-4.4# echo “[email protected]@123#” | passwd --stdin root 
sh-4.4# touch /.autorelabel

Once you are done with password reset, run below command to reboot your system

sh-4.4# reboot -f


Method 2) Replacing the ‘ro’ word with “rw init=/sysroot/bin/sh”

Step 1) Reboot your CentOS 8 / RHEL 8 System and interrupt the auto boot by entering up and down arrow key then we will get following grub screen.

Choose the first line which includes the kernel,


Step 2) Press ‘e’ to enter in edit mode and look for the line which starts with ‘linux’ word, replace the “ro” with “rw init=/sysroot/bin/sh


press “Ctrl-x” to boot the system in single user mode,


Step 3) Mount the root file system using chroot command,

:/# chroot /sysroot

Let’s assume you want to correct some invalid entries in fstab file,

:/# vi /etc/fstab

Make the required changes in fstab file then save and exit


In case you want to disable some systemctl service like sendmail, run the following command,

:/# systemctl disable sendmail

Once you are done with changes and troubleshooting steps then reboot your system using following command,

:/# reboot -f


Note: Alternate way to reboot the system from single user mode is to run exit command twice.

That’s all from this tutorial, In case these steps help you to recover your system and root password then please don’t hesitate to share valuable feedback and comments.

from Linuxtechi…

Read More

How to Install and Configure KVM on Debian 10 (Buster)

KVM stands for Kernel based Virtual Machine, KVM is a free and open source type 2 hypervisor which is installed on top of Linux like distributions. Once the KVM is installed on your system then it becomes the virtualization server which allows us to run multiple virtual machines at same time. KVM requires either Intel processor with VT-x (virtualization technology extension) or AMD processor with AMD-V (AMD64 Virtualization Extension).

In this article we will learn how to install and configure KVM on Debian 10 system, I am assuming Debian 10 is already installed on system / server.  Let’s jump into installation steps.

Step:1) Check whether Virtualization Extension is enabled or not

Login to your Debian 10 system, open the terminal and run the below command,

[email protected]:~$  egrep -c '(vmx|svm)' /proc/cpuinfo
[email protected]:~$

If output of above command is more than zero then we can say Virtualization technology enabled at the bios level. If the output is zero then we must restart the system, go to bios settings and then enable VT-x (Virtualization Technology Extension) for Intel processor and AMD-V for AMD processor.

Run the below command to verify whether your processor is Intel / AMD and support hardware virtualization,

[email protected]:~$ grep -E --color '(vmx|svm)' /proc/cpuinfo

if the output contains vmx then you have a Intel based processor and svm confirms that it is AMD processor.

Step:2) Install QEMU-KVM , Libvirt packages along with virt-manager

kvm , qemu, libvirt and virt-manager packages are available in the default repositories of Debian 10, run the beneath apt command to install these packages,

[email protected]:~$ sudo apt install qemu-kvm libvirt-clients libvirt-daemon-system bridge-utils virtinst libvirt-daemon virt-manager -y

Once above packages installed successfully then libvirtd service will be started automatically, run the below systemctl command to verify the status

[email protected]:~$ sudo systemctl status libvirtd.service


Step:3) Start default network and add vhost_net module

Run the below virsh command to list available network for kvm vms

[email protected]:~$ sudo virsh net-list --all
 Name      State      Autostart   Persistent
 default   inactive   no          yes
[email protected]:~$

As we can see in above output, default network is inactive so to make it active and auto-restart across the reboot by running the following commands,

[email protected]:~$ sudo virsh net-start default
Network default started
[email protected]:~$ sudo virsh net-autostart default
Network default marked as autostarted
[email protected]:~$

If you want to offload the mechanism of “virtio-net” and want to improve the performance of KVM VMs then add “vhost_net” kernel module on your system using the beneath command,

[email protected]:~$ sudo modprobe vhost_net
[email protected]:~$ echo "vhost_net" | sudo  tee -a /etc/modules
[email protected]:~$
[email protected]:~$ lsmod | grep vhost
vhost_net              24576  0
vhost                  49152  1 vhost_net
tap                    28672  1 vhost_net
tun                    49152  2 vhost_net
[email protected]:~$

Note: If you want a normal user to use virsh commands then add that user to libvirt and libvirt-qemu group using the following commands

[email protected]:~$ sudo adduser pkumar libvirt
[email protected]:~$ sudo adduser pkumar libvirt-qemu

To refresh or reload group membership run the followings,

[email protected]:~$ newgrp libvirt
[email protected]:~$ newgrp libvirt-qemu

Step:4) Create Linux Bridge(br0) for KVM VMs

When we install KVM then it automatically creates a bridge with name “virbr0“, this is generally used for all  test environments but if you wish to access your KVM VMs over the network then …

Read More

How to Run Containers with Podman on CentOS 8 / RHEL 8

Podman is a free and open-source daemonless container platform that was built to develop, manage and deploy containers and pods on a Linux environment. Pods are groups of containers which are usually deployed on the same host system. Podman is gradually replacing docker which is another containerization platform that developers use to deploy their applications together with dependencies and libraries. The main difference between the two is that while docker is a daemon that can be started, enabled, stopped and restarted, podman is not. Podman is considered more secure due to its audit logging capability in containers. The auditing plays a very crucial role in monitoring the processes that are running in a container.

Let’s now take you from A to Z on how to install podman and how to run and manage containers.

Installing podman on CentOS 8

To install podman on CentOS 8, simply log in as the root user and run the command:

[[email protected] ~]# dnf install podman


Installing podman on RHEL 8

Run below command to install Podman on RHEL 8 System

[[email protected] ~]# dnf module install container-tools

After the successful installation process , check the version of podman using the command:

[[email protected] ~]# podman --version
podman version 1.0.5
[[email protected] ~]#

Run below command to view podman system information

[[email protected] ~]# podman info


This is a confirmation that podman has been successfully installed.

Search and Download Containers Image with Podman

Let’s now shift gears and see the various operations you can carry out with podman. To search an image, use the syntax

# podman search image_name

For example, to search for the image of Fedora System, execute the command:

[[email protected] ~]# podman search fedora


In the output, you get to see the registry from which you are searching for, in this case, and a brief description of the images.

To download the image, simply run

# podman pull image_name

We will download 2 additional images, Fedora and Ubuntu

[[email protected] ~]# podman pull fedora
[[email protected] ~]# podman pull ubuntu


To view the downloaded images, run the command:

[[email protected] ~]# podman images
REPOSITORY                 TAG      IMAGE ID       CREATED        SIZE   latest   549b9b86cb8d   35 hours ago   66.6 MB   latest   f0858ad3febd   7 weeks ago    201 MB
[[email protected] ~]#

Run containers with podman

To run a container using a Fedora image that prints out a message on the screen, run:

[[email protected] ~]# podman run --rm fedora /bin/echo "Hello Geeks! Welcome to Podman"
Hello Geeks! Welcome to Podman
[[email protected] ~]#

Note: Above command will also remove the container after displaying the message.

Launch a container using ubuntu image, let’s assume container name is “web-ubuntu

[[email protected] ~]# podman run -dit --name web-ubuntu -p 80:80 ubuntu
[[email protected] ~]#

Above podman command will start a container and will redirect 80 port requests from podman system to web-space container on port 80.

Launch one more container using Fedora image with name db-fedora, attach an additional volume to this container (/opt/dbspace)

[[email protected] ~]# podman run -dit --name db-space -v /opt/dbspace:/mnt -p 3306:3306 fedora
[[email protected] ~]#

Above podman command will start a container and attach a folder as a volume “/opt/dbspace” and will also redirect 3306 port request from podman system to db-space container on 3306 port.

To view only …

Read More

Lock User Account After n Incorrect Login attempts in Linux

Linux Server hardening is one of the important task for sysadmins when it comes to production servers. It is recommended that one should enable login or ssh attempts policy, means user’s account should be locked automatically after n numbers of incorrect login or ssh attempts.

In Linux distribution like CentOS, RHEL and Fedora this is achieved by using pam module “pam_faillock” and for Debian like distributions, this can be achieved using “pam_tally2” pam module.

In this tutorial we will learn how to lock user accounts after n incorrect login attempts in CentOS , RHEL, Fedora, Debian & Ubuntu

For CentOS / RHEL / Fedora

Add the following lines in two files /etc/pam.d/password-auth & /etc/pam.d/system-auth,

auth     required preauth silent audit deny=3 unlock_time=600
auth     [default=die] authfail audit deny=3 unlock_time=600
account  required


  • Audit –> it will enable audit logs for user login attempt in secure log file
  • Deny=3 –> it will lock the user after 3 unsuccessful login attempts, you can change this number as per your requirement
  • unlock_time=600 –> it means user’s account will remain locked for 10 minutes (600 seconds), if you want user account to be locked forever then set this parameter as “unlock_time=never

Note: To lock root account as well after n incorrect logins, add  “even_deny_root” parameter in auth section lines, example is shown below

auth    required preauth silent audit even_deny_root deny=3 unlock_time=600
auth    [default=die] authfail audit even_deny_root deny=3 unlock_time=600

As we can see above, we have two lines for auth section and one line for account section, order is very important while adding these lines to the files. Example is demonstrated below where these lines needs to be added,

[[email protected] ~]# vi /etc/pam.d/password-auth


[[email protected] ~]# vi /etc/pam.d/system-auth


After making changes in both the files, restart the ssh service using below systemctl command,

[[email protected] ~]# systemctl restart sshd

Let’s do the testing whether user account will be locked after three unsuccessful login attempts or not.

Let’s assume we have a local account with name “pkumar“, we will try to ssh our Linux system with this account with incorrect passwords,

$ ssh [email protected]
[email protected]'s password:
[email protected]'s password:
[email protected]'s password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

Now view secure logs using tail command,

[[email protected] ~]# tail /var/log/secure


Above logs confirms that account has been locked after three incorrect login attempts, let’s verify from faillock command as well,

[[email protected] ~]# faillock --user pkumar
When                Type  Source                     Valid
2019-12-15 01:50:39 RHOST             V
2019-12-15 01:50:43 RHOST             V
2019-12-15 01:50:47 RHOST             V
[[email protected] ~]#

To flush or clear these unsuccessful login attempts, execute the following faillock command,

[[email protected] ~]# faillock --user pkumar --reset
[[email protected] ~]# faillock --user pkumar
When         Type  Source         Valid
[[email protected] ~]#

Let’s move to Debian like distribution (Ubuntu, Linux Mint and Debian)

For Debian, Ubuntu and Linux Mint

Add the following line in the file “/etc/pam.d/common-auth”,

auth    required  onerr=fail deny=3 unlock_time=600 audit

if you wish to lock root account as well after three incorrect logins then add the following line ,

auth    required  onerr=fail deny=3 unlock_time=600 audit even_deny_root root_unlock_time=600


  • Onerr=fail –> In case of error issue a fail
  • deny=3 –> After three unsuccessful login attempts account
Read More