It is important to keep track of failed login attempts to your Linux system and automatically lock users after specific number of failed attempts. Otherwise, many bots, scripts & hackers will try to get access to your system via brute force attack. You can easily enforce a simple security lock after certain number of consecutive attempts using pam_faillock module in Linux. In this article, we will look at how to lock user after failed login attempts in Linux.
pam_faillock module keeps track of failed login attempts and automatically enforces a temporary lock on such users. It stores records for each user in /var/run/faillock. It is available as part of Linux PAM (Pluggable Authentication Modules) that allow you to add authentication features in applications and services.
How to Lock User After Failed Login Attempts in Linux
Here are the steps to lock user after failed login attempts in Linux.
pam_faillock configuration files are located at /etc/pam.d/system-auth and /etc/pam.d/password-auth. Open them with a text editor.
$ sudo vi /etc/pam.d/system-auth $ sudo vi /etc/pam.d/password-auth
The default auth section in both these files look like.
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet auth required pam_deny.so
Add the following lines to these files.
auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600 auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600
In the above 2 lines, the different keywords mean the following.
audit
– enable user auditingdeny
– number of attempts (3 in this case), after which the user account will be locked.unlock_time
– time (300 seconds = 5 minutes) for which the account will remain locked.
Here is the position at which you need to add the above two lines, shown in bold. Make sure you add the above 2 lines at these positions only. Otherwise, it may lock all accounts.
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_faillock.so preauth silent audit deny=3 unlock_time=300 auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=300 auth requisite pam_succeed_if.so uid >= 1000 quiet auth required pam_deny.so
Next, add the following line to account section
account required pam_faillock.so
It should be added in the end of section as shown below in bold.
account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so account required pam_faillock.so
If you even want to lock root account, after specified number of attempts, add the keyword even_deny_root in the 2 lines you added in auth section above.
auth required pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=300 auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=300
Finally, restart SSHD service to apply changes.
# systemctl restart sshd [On SystemD] # service sshd restart [On SysVInit]
Test Failed SSH Login Attempt
You can easily test the above configuration by trying to switch to another account and providing wrong password thrice. The first 3 times you will get ‘Permission Denied’ message. The fourth time, you will see ‘Authentication Failure’ and your account will be locked for 5 minutes.
$ su - ubuntu Password: Permission Denied $ su - ubuntu Password: Permission Denied $ su - ubuntu Password: Permission Denied $ su - ubuntu Password: Authentication Failure
View Failed Authentication Attempts
If you want to view failed authentication attempts, simply use faillock command with the username for which you want this information.
$ faillock --user ubuntu
If you want to view all failed attempts to your system, run faillock command without any argument or option.
$ faillock
Reset/Clear Failed Authentication
If you want to reset or clear failed authentication logs of a specific user ubuntu, run the following command.
$ faillock --user ubuntu --reset
If you want to clear all authentication logs, run the following command.
$ fail --reset OR $ faillock --reset
Exclude User from Faillock
If you want to exclude certain users (e.g. ubuntu) from being locked, even after the specific number of failed attempts, add the following line, for that user, in auth section mentioned above.
auth required pam_env.so auth [success=1 default=ignore] pam_succeed_if.so user in ubuntu:ubuntu auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600 auth sufficient pam_unix.so nullok try_first_pass auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so
For more information about faillock, you can always use the man command
$ man faillock OR $ man pam_faillock
In this article, we have learnt how to block users after specific number of failed login attempts, view record of failed attempts, clear/reset user’s failed login attempts and also exclude users from being locked.
Also read:
How to Find Failed Login Attempts in Linux
How to Schedule Shutdown in Linux
How to Secure SSH Server on your System
How to Create Shared Folders in Linux
How to Save Command Output to File in Linux