Most of the times, users are required to log in to the system in Linux to access their respective accounts. This is an essential security protocol. Another security protocol is locking the account after the users fails to log in after a certain number of attempts. Failed attempts can also mean that an intruder with partial credentials is trying to get into the system. By locking the account associated with that user, you can ensure safety.
You can do this using the pam_faillock module. This module is part of the Linux PAM (Pluggable Authentication Modules). It would lock the user account temporarily until an admin intervenes and looks into the matter. It’d also record this event for future reference. You can access all the failed login attempts in the past in the per-user file at /var/run/faillock/.
Locking User Account after Failed Login Attempt
To lock the user account when they fail to authenticate, you need to configure the /etc/pam.d/system-auth and /etc/pam.d/password-auth files. Open any of the file and below the auth section, add in the following:
In the above lines of code, here are some important commands:
audit – it enables user auditing
deny – it defines the number of times the user can attempt to login (in the above case, its three times)
unlock_time – the time for which the account remains deactivated (600 seconds or 10 minutes in this case)
When adding in the lines of code, its necessary to follow the order mentioned above. Its really important since incorrect order may lock all user accounts.
To open the two files, execute these commands:
Then add in the lines of command.
An additional line you need to add under the account section, which is:
account required pam_faillock.so
Locking Root User Account after Failed Login Attempt
Root user is the most vulnerable user. When it is compromised, the entire Linux system is at risk. Therefore, you need to secure the root user account at all costs.
For that purpose, you’d have to add the following lines to the auth section of the files:
After the necessary configuration, you need to restart the remote access service. If you’re using sshd, use the following command:
Testing SSH User Failed Login Attempts
Now that you’ve configured Linux to lock user accounts when they fail to authenticate themselves, lets check if its working as intended.
In the above codes, we have limited the number of attempts to 3. So after the third attempt, the account will be locked for 5 minutes (300 seconds).
The following scenario is when the user ‘Roger1’ is attempting to switch to user ‘Roger2’:
As you can see, we get ‘Authentication Failure’ in the fourth attempt. This means, the code is working as intended.
The root user will also get a notification regarding this.
View Failed Authentication Attempts
To view the failed login attempts of the past, you can use the faillock utility. It is used to display and modify the failure log.
If you want to view the failed login attempts made by a particular user, use this command:
To view all failed attempt made by all users, just execute faillock without any argument like this:
You can also clear the log file for a particular user using this command:
If you don’t want the Linux system to lock a user after several failed attempts, you need to add the following line to the auth section, just before the pam_faillock.so line:
To get more information on pam_faillock and faillock main pages, use this command:
So that’s how you lock accounts in Linux when there’s failed login attempts.
You can do this using the pam_faillock module. This module is part of the Linux PAM (Pluggable Authentication Modules). It would lock the user account temporarily until an admin intervenes and looks into the matter. It’d also record this event for future reference. You can access all the failed login attempts in the past in the per-user file at /var/run/faillock/.
Locking User Account after Failed Login Attempt
To lock the user account when they fail to authenticate, you need to configure the /etc/pam.d/system-auth and /etc/pam.d/password-auth files. Open any of the file and below the auth section, add in the following:
Code:
auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600
auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600audit – it enables user auditing
deny – it defines the number of times the user can attempt to login (in the above case, its three times)
unlock_time – the time for which the account remains deactivated (600 seconds or 10 minutes in this case)
When adding in the lines of code, its necessary to follow the order mentioned above. Its really important since incorrect order may lock all user accounts.
To open the two files, execute these commands:
Code:
# vi /etc/pam.d/system-auth
# vi /etc/pam.d/password-authAn additional line you need to add under the account section, which is:
account required pam_faillock.so
Locking Root User Account after Failed Login Attempt
Root user is the most vulnerable user. When it is compromised, the entire Linux system is at risk. Therefore, you need to secure the root user account at all costs.
For that purpose, you’d have to add the following lines to the auth section of the files:
Code:
auth required pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=300
auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=300
Code:
# systemctl restart sshd [On SystemD]
# service sshd restart [On SysVInit]Now that you’ve configured Linux to lock user accounts when they fail to authenticate themselves, lets check if its working as intended.
In the above codes, we have limited the number of attempts to 3. So after the third attempt, the account will be locked for 5 minutes (300 seconds).
The following scenario is when the user ‘Roger1’ is attempting to switch to user ‘Roger2’:
Code:
[Roger1 ~]$ su - Roger2
Password:
su: Permission denied
[Roger1 ~]$ su - Roger2
Password:
su: Permission denied
[Roger1 ~]$ su - Roger2
Password:
su: Permission denied
[Roger1 ~]$ su - Roger2
Password:
su: Authentication failureThe root user will also get a notification regarding this.
View Failed Authentication Attempts
To view the failed login attempts of the past, you can use the faillock utility. It is used to display and modify the failure log.
If you want to view the failed login attempts made by a particular user, use this command:
Code:
# faillock --user Roger1
Code:
# faillock
Code:
# faillock --user Roger1 --reset
OR
# fail --reset #clears all authentication failure records
Code:
auth [success=1 default=ignore] pam_succeed_if.so user in Roger1:Roger2
Code:
# man pam_faillock
# man faillock
