Locking Accounts in Linux When Users Fail to Login

Locking Accounts in Linux When Users Fail to Login

Most of the times, users are required to log in to the system in Linux to access their respective accounts. This is an essential security protocol. Another security protocol is locking the account after the users fails to log in after a certain number of attempts. Failed attempts can also mean that an intruder with partial credentials is trying to get into the system. By locking the account associated with that user, you can ensure safety.

You can do this using the pam_faillock module. This module is part of the Linux PAM (Pluggable Authentication Modules). It would lock the user account temporarily until an admin intervenes and looks into the matter. It’d also record this event for future reference. You can access all the failed login attempts in the past in the per-user file at /var/run/faillock/.

Locking User Account after Failed Login Attempt

To lock the user account when they fail to authenticate, you need to configure the /etc/pam.d/system-auth and /etc/pam.d/password-auth files. Open any of the file and below the auth section, add in the following:

Code:
auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600

auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600
In the above lines of code, here are some important commands:

audit – it enables user auditing

deny – it defines the number of times the user can attempt to login (in the above case, its three times)

unlock_time – the time for which the account remains deactivated (600 seconds or 10 minutes in this case)

When adding in the lines of code, its necessary to follow the order mentioned above. Its really important since incorrect order may lock all user accounts.

To open the two files, execute these commands:

Code:
# vi /etc/pam.d/system-auth

# vi /etc/pam.d/password-auth
Then add in the lines of command.

An additional line you need to add under the account section, which is:

account required pam_faillock.so

Locking Root User Account after Failed Login Attempt

Root user is the most vulnerable user. When it is compromised, the entire Linux system is at risk. Therefore, you need to secure the root user account at all costs.

For that purpose, you’d have to add the following lines to the auth section of the files:

Code:
auth required pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=300

auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=300
After the necessary configuration, you need to restart the remote access service. If you’re using sshd, use the following command:

Code:
# systemctl restart sshd [On SystemD]
# service sshd restart [On SysVInit]
Testing SSH User Failed Login Attempts

Now that you’ve configured Linux to lock user accounts when they fail to authenticate themselves, lets check if its working as intended.

In the above codes, we have limited the number of attempts to 3. So after the third attempt, the account will be locked for 5 minutes (300 seconds).

The following scenario is when the user ‘Roger1’ is attempting to switch to user ‘Roger2’:

Code:
[Roger1 ~]$ su - Roger2

Password:
su: Permission denied

[Roger1 ~]$ su - Roger2

Password:

su: Permission denied

[Roger1 ~]$ su - Roger2

Password:

su: Permission denied

[Roger1 ~]$ su - Roger2

Password:

su: Authentication failure
As you can see, we get ‘Authentication Failure’ in the fourth attempt. This means, the code is working as intended.

The root user will also get a notification regarding this.

View Failed Authentication Attempts

To view the failed login attempts of the past, you can use the faillock utility. It is used to display and modify the failure log.

If you want to view the failed login attempts made by a particular user, use this command:

Code:
# faillock --user Roger1
To view all failed attempt made by all users, just execute faillock without any argument like this:

Code:
# faillock
You can also clear the log file for a particular user using this command:

Code:
# faillock --user Roger1 --reset
OR
# fail --reset #clears all authentication failure records
If you don’t want the Linux system to lock a user after several failed attempts, you need to add the following line to the auth section, just before the pam_faillock.so line:

Code:
auth [success=1 default=ignore] pam_succeed_if.so user in Roger1:Roger2
To get more information on pam_faillock and faillock main pages, use this command:

Code:
# man pam_faillock
# man faillock
So that’s how you lock accounts in Linux when there’s failed login attempts.
Author
kumkumsharma
Views
3,299
First release
Last update
Rating
0.00 star(s) 0 ratings

More resources from kumkumsharma

Top