How to lock users after 5 unsuccessful login tries?

Question

How to lock users after 5 unsuccessful login tries?

I gathered a few distributions/versions to how to do it, but I can't test it.

RHEL4: by adding the:

auth        required      /lib/security/$ISA/pam_tally.so no_magic_root
account     required      /lib/security/$ISA/pam_tally.so deny=5 reset no_magic_root

to:

/etc/pam.d/system-auth
/etc/pam.d/login
/etc/pam.d/sshd

RHEL4: ???

SLES9: by adding the:

auth required pam_tally.so no_magic_root
account required pam_tally.so deny=5 reset no_magic_root

to:

/etc/pam.d/login
/etc/pam.d/sshd

SLES11 or SLES10: by adding the:

auth required pam_tally.so deny=5 onerr=fail per_user no_lock_time

to:

/etc/pam.d/common-auth

AND by adding the:

account required pam_tally.so

to:

/etc/pam.d/common-account

QUESTION: Can someone please confirm it that this is the working/good way to lock users after 5 unsuccessful login tries? OR HOW TO DO THIS?

p.s.:

/sbin/pam_tally --user USERNAME --reset

is a usefull thing to do before doing this? Can I lock out the root user with these? Editing PAM is a very sensitive thing, because People could lock out themselves from the server (I'm meaning ex.: the root user). Any hints when doing this?

Answer 1

You might want to take a look at fail2ban. It can be configured to lock an account after a set number of failed attempts, and then unlock after a set period of time.

http://www.fail2ban.org/wiki/index.php/Downloads

If you're really serious about using pam_tally, you probably want to use pam_tally2 instead. Should be installed with any PAM package that's current. You can do a man pam_tally2 to see how to use it.

Here's an example to get you started. Add the following to the beginning of the auth section in the pam file, /etc/pam.d/password-auth:

auth        required      pam_tally2.so  file=/var/log/tallylog deny=3 even_deny_root unlock_time=1200

In the same file add this to the account section:

account     required      pam_tally2.so

The parameters above are as follows:

• file=/var/log/tallylog – Default log file is used to keep login counts.
• deny=3 – Deny access after 3 attempts and lock down user.
• even_deny_root – Policy is also apply to root user.
• unlock_time=1200 - 20 min.(60 sec. * 20 min. = 1200 sec.)

If you don't want to lock root out change even_deny_root to magic_root.

It's questionable if you'd want to lock out the root account. You might want to do something like this instead, where the root account can get locked out, but only for a shorter duration than other accounts:

auth        required      pam_tally2.so  file=/var/log/tallylog deny=3 even_deny_root unlock_time=1200 root_unlock_time=60

This will only lock the root account out for a minute, everyone else the normal 1200 seconds.

A sample log file would look as follows:

$ ssh me@somemachine
me@somemachine's password:
Permission denied, please try again.
me@somemachine's password:
Permission denied, please try again.
me@somemachine's password:
Account locked due to 4 failed logins
Account locked due to 5 failed logins
Last login: Mon Jun 4 21:21:06 2013 from someothermachine

You can inquire about locked accounts using the command pam_tally2:

$ pam_tally2 --user=me
Login           Failures  Latest    failure     From
me                   5    06/04/13  21:21:06    someothermachine

You can unlock the restriction like so:

pam_tally2 --user=me --reset
Login           Failures  Latest    failure     From
me                  5     06/04/13  21:21:06    someothermachine

Now the account shows up in pam_tally2 like so:

$ pam_tally2 --user=me
Login           Failures   Latest   failure     From
me                 0

References

• Use Pam_Tally2 to Lock and Unlock SSH Failed Login Attempts

Answer 2

pam_tally2 initially confused me, but i figured it out after following man pam_tally2 -

  EXAMPLES
   Add the following line to /etc/pam.d/login to lock the account after 4 failed logins.
   Root account will be locked as well. The accounts will be automatically unlocked after
   20 minutes. The module does not have to be called in the account phase because the
   login calls pam_setcred(3) correctly.

   auth     required       pam_securetty.so
   auth     required       pam_tally2.so deny=4 even_deny_root unlock_time=1200
   auth     required       pam_env.so
   auth     required       pam_unix.so

the wording above is a little confusing, because you actually only add the pam_tally2.so line.

so you can either edit /etc/pam.d/login and add it below all the other auth lines:

   auth     required       pam_tally2.so deny=4 even_deny_root unlock_time=1200

or if you have /etc/pam.d/system-auth you can add it there.

no reboot or reloading of any service is required - it becomes active immediately for new local logins.

note: if you want pam_tally2 to apply to sshd or other remote services aswell, you will also need to add the line to /etc/pam.d/sshd and/or /etc/pam.d/password-auth

---

to check that it's working, make a failed login attempt with a valid user, then run pam_tally2

for example, for a user named jacob run:

  $ sudo pam_tally2 -u jacob

and it will output something like:

  Login           Failures Latest   failure     From
  jacob           1        01/01/01 11:00:00    tty1

if too many login attempts fail and the account is locked, you can manually unlock the account:

  $ sudo pam_tally2 -u jacob --reset