Linux Server hardening is one of the important task for sysadmins when it comes to production servers. It is recommended that one should enable login or ssh attempts policy, means user’s account should be locked automatically after n numbers of incorrect login or ssh attempts.

In Linux distribution like CentOS, RHEL and Fedora this is achieved by using pam module “pam_faillock” and for Debian like distributions, this can be achieved using “pam_tally2” pam module.

In this tutorial we will learn how to lock user accounts after n incorrect login attempts in CentOS , RHEL, Fedora, Debian & Ubuntu

For CentOS / RHEL / Fedora

Add the following lines in two files /etc/pam.d/password-auth & /etc/pam.d/system-auth,

auth     required       pam_faillock.so preauth silent audit deny=3 unlock_time=600
auth     [default=die]  pam_faillock.so authfail audit deny=3 unlock_time=600
account  required       pam_faillock.so

Where,

  • Audit –> it will enable audit logs for user login attempt in secure log file
  • Deny=3 –> it will lock the user after 3 unsuccessful login attempts, you can change this number as per your requirement
  • unlock_time=600 –> it means user’s account will remain locked for 10 minutes (600 seconds), if you want user account to be locked forever then set this parameter as “unlock_time=never

Note: To lock root account as well after n incorrect logins, add  “even_deny_root” parameter in auth section lines, example is shown below

auth    required       pam_faillock.so preauth silent audit even_deny_root deny=3 unlock_time=600
auth    [default=die]  pam_faillock.so authfail audit even_deny_root deny=3 unlock_time=600

As we can see above, we have two lines for auth section and one line for account section, order is very important while adding these lines to the files. Example is demonstrated below where these lines needs to be added,

[[email protected] ~]# vi /etc/pam.d/password-auth

pam-password-auth-file-linux

[[email protected] ~]# vi /etc/pam.d/system-auth

pam-system-auth-file-linux

After making changes in both the files, restart the ssh service using below systemctl command,

[[email protected] ~]# systemctl restart sshd

Let’s do the testing whether user account will be locked after three unsuccessful login attempts or not.

Let’s assume we have a local account with name “pkumar“, we will try to ssh our Linux system with this account with incorrect passwords,

$ ssh [email protected]
[email protected]'s password:
[email protected]'s password:
[email protected]'s password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

Now view secure logs using tail command,

[[email protected] ~]# tail /var/log/secure

secure-log-file-linux

Above logs confirms that account has been locked after three incorrect login attempts, let’s verify from faillock command as well,

[[email protected] ~]# faillock --user pkumar
pkumar:
When                Type  Source                     Valid
2019-12-15 01:50:39 RHOST 192.168.29.157             V
2019-12-15 01:50:43 RHOST 192.168.29.157             V
2019-12-15 01:50:47 RHOST 192.168.29.157             V
[[email protected] ~]#

To flush or clear these unsuccessful login attempts, execute the following faillock command,

[[email protected] ~]# faillock --user pkumar --reset
[[email protected] ~]# faillock --user pkumar
pkumar:
When         Type  Source         Valid
[[email protected] ~]#

Let’s move to Debian like distribution (Ubuntu, Linux Mint and Debian)

For Debian, Ubuntu and Linux Mint

Add the following line in the file “/etc/pam.d/common-auth”,

auth    required           pam_tally2.so onerr=fail deny=3 unlock_time=600 audit

if you wish to lock root account as well after three incorrect logins then add the following line ,

auth    required           pam_tally2.so onerr=fail deny=3 unlock_time=600 audit even_deny_root root_unlock_time=600

Where:

  • Onerr=fail –> In case of error issue a fail
  • deny=3 –> After three unsuccessful login attempts account will be locked
  • unlock_time=600 –> It means account will remain locked for 10 minutes or 600 seconds
  • audit –> It means audit the logs in audit.log file
  • even_deny_root –> Lock the root account after three incorrect logins
  • root_unlock_time=600 –> Root account will remain locked for 10 minutes or 600 seconds after 3 unsuccessful login attempts

Let’s add above discuss line in file “/etc/pam.d/common-auth” using vi editor,

[email protected]:~$ sudo vi /etc/pam.d/common-auth

common-auth-file-ubuntu

After making the above changes, save and exit the file and restart ssh service using following command,

[email protected]:~$ sudo systemctl restart sshd

Let’s test whether accounts are locked after 3 incorrect ssh logins,

Let’s assume we have a local “devops” user, we will try to ssh the Ubuntu system with incorrect passwords

$ ssh [email protected] 
[email protected]'s password: 
[email protected]'s password: d
[email protected]'s password: 
Permission denied (publickey,password).

Now view auth log file to see whether incorrect login attempts are captured or not,

[email protected]:~$ tail /var/log/auth.log

auth-log-file-ubuntu

Above logs confirms that account has been locked, let’s verify from pam_tally2 command,

[email protected]:~$ sudo pam_tally2 -u devops
Login       Failures Latest failure     From
devops      6    12/15/19 07:45:02  192.168.29.157
[email protected]:~$

To clear these unsuccessful login attempts use the following pam_tally2 command,

[email protected]:~$ sudo pam_tally2 -u devops --reset
Login        Failures Latest failure     From
devops       6    12/15/19 07:45:02  192.168.29.157
[email protected]:~$
[email protected]:~$ sudo pam_tally2 -u devops
Login        Failures Latest failure     From
devops       0
[email protected]:~$

That’s conclude the article, please don’t hesitate to share the feedback and comments.

from Linuxtechi https://www.linuxtechi.com/lock-user-account-incorrect-login-attempts-linux/