lock user account after failed login attempts

How to Lock User After Failed Login Attempts in Linux

It is important to keep track of failed login attempts to your Linux system and automatically lock users after specific number of failed attempts. Otherwise, many bots, scripts & hackers will try to get access to your system via brute force attack. You can easily enforce a simple security lock after certain number of consecutive attempts using pam_faillock module in Linux. In this article, we will look at how to lock user after failed login attempts in Linux.

pam_faillock module keeps track of failed login attempts and automatically enforces a temporary lock on such users. It stores records for each user in /var/run/faillock. It is available as part of Linux PAM (Pluggable Authentication Modules) that allow you to add authentication features in applications and services.


How to Lock User After Failed Login Attempts in Linux

Here are the steps to lock user after failed login attempts in Linux.

pam_faillock configuration files are located at /etc/pam.d/system-auth and /etc/pam.d/password-auth. Open them with a text editor.

$ sudo vi /etc/pam.d/system-auth
$ sudo vi /etc/pam.d/password-auth

The default auth section in both these files look like.

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet
auth        required      pam_deny.so

Add the following lines to these files.

auth    required       pam_faillock.so preauth silent audit deny=3 unlock_time=600
auth    [default=die]  pam_faillock.so authfail audit deny=3 unlock_time=600

In the above 2 lines, the different keywords mean the following.

  • audit – enable user auditing
  • deny – number of attempts (3 in this case), after which the user account will be locked.
  • unlock_time – time (300 seconds = 5 minutes) for which the account will remain locked.

Here is the position at which you need to add the above two lines, shown in bold. Make sure you add the above 2 lines at these positions only. Otherwise, it may lock all accounts.

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faillock.so preauth silent audit deny=3 unlock_time=300
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        [default=die]  pam_faillock.so  authfail  audit  deny=3  unlock_time=300
auth        requisite     pam_succeed_if.so uid >= 1000 quiet
auth        required      pam_deny.so

Next, add the following line to account section

account     required      pam_faillock.so

It should be added in the end of section as shown below in bold.

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so
account     required      pam_faillock.so

If you even want to lock root account, after specified number of attempts, add the keyword even_deny_root in the 2 lines you added in auth section above.

auth        required      pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=300
auth        [default=die]  pam_faillock.so  authfail  audit  deny=3 even_deny_root unlock_time=300

Finally, restart SSHD service to apply changes.

# systemctl restart sshd  [On SystemD]
# service sshd restart    [On SysVInit]


Test Failed SSH Login Attempt

You can easily test the above configuration by trying to switch to another account and providing wrong password thrice. The first 3 times you will get ‘Permission Denied’ message. The fourth time, you will see ‘Authentication Failure’ and your account will be locked for 5 minutes.

$ su - ubuntu
Password:
Permission Denied
$ su - ubuntu
Password:
Permission Denied
$ su - ubuntu
Password:
Permission Denied
$ su - ubuntu
Password:
Authentication Failure


View Failed Authentication Attempts

If you want to view failed authentication attempts, simply use faillock command with the username for which you want this information.

$ faillock --user ubuntu

If you want to view all failed attempts to your system, run faillock command without any argument or option.

$ faillock


Reset/Clear Failed Authentication

If you want to reset or clear failed authentication logs of a specific user ubuntu, run the following command.

$ faillock --user ubuntu --reset 

If you want to clear all authentication logs, run the following command.

$ fail --reset
OR
$ faillock --reset


Exclude User from Faillock

If you want to exclude certain users (e.g. ubuntu) from being locked, even after the specific number of failed attempts, add the following line, for that user, in auth section mentioned above.

auth  required      pam_env.so
auth   [success=1 default=ignore] pam_succeed_if.so user in ubuntu:ubuntu 
auth   required      pam_faillock.so preauth silent audit deny=3 unlock_time=600
auth   sufficient    pam_unix.so  nullok  try_first_pass
auth   [default=die]  pam_faillock.so  authfail  audit  deny=3  unlock_time=600
auth   requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth   required      pam_deny.so

For more information about faillock, you can always use the man command

$ man faillock
OR
$ man pam_faillock

In this article, we have learnt how to block users after specific number of failed login attempts, view record of failed attempts, clear/reset user’s failed login attempts and also exclude users from being locked.

Also read:

How to Find Failed Login Attempts in Linux
How to Schedule Shutdown in Linux
How to Secure SSH Server on your System
How to Create Shared Folders in Linux
How to Save Command Output to File in Linux

Leave a Reply

Your email address will not be published. Required fields are marked *