SSH Security: Lock Failed Login Attempts with pam_faillock

The pam_tally2 module, once used to lock user accounts after a certain number of failed SSH login attempts, has been deprecated and replaced by pam_faillock in RHEL-based distributions and other modern Linux distributions, due to more flexibility and security options.

Previously, the pam_tally2 module was responsible for counting failed login attempts and locking accounts. However, as part of security improvements, pam_faillock has become the standard for managing failed login attempts in newer Linux versions by providing better integration and more configuration options.

Transition from pam_tally2 to pam_faillock

While pam_tally2 consisted of two parts – pam_tally2.so and the pam_tally2 command – it has been phased out in favor of pam_faillock, which is designed to handle login attempts in a more secure and flexible way.

pam_faillock offers similar functionality but with improvements such as:

  • Enhanced logging and reporting of failed attempts.
  • Better handling of account lockout policies.
  • Support for configurable limits on failed login attempts and automatic account unlocking after a timeout.

This article demonstrates how to configure SSH account lockouts using the pam_faillock module after a certain number of failed login attempts.

How to Lock and Unlock User Accounts with pam_faillock

Open the both PAM configuration files /etc/pam.d/password-auth and /etc/pam.d/sshd, depending on your system and the service you’re configuring.

sudo vi /etc/pam.d/password-auth
sudo vi /etc/pam.d/sshd

Add the following lines to the beginning of the auth section to configure failed login attempt policies:

auth        required      pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=1200
auth        [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=1200

Add the following line to the account section to enable account management for login failures:

account     required      pam_faillock.so

Explanation of Parameters:

  • deny=3: Deny access after 3 failed attempts.
  • even_deny_root: Apply the policy to the root user as well.
  • unlock_time=1200: Automatically unlock the account after 20 minutes (1200 seconds). Remove this option if you want the account to remain locked until manually reset.
  • audit: Logs failed login attempts to the system audit log.

Now open the /etc/security/faillock.conf file and specify how many failed attempts will trigger a lockout and the duration of the lockout period.

# Number of allowed failures before lockout
deny = 5

# Lockout duration in minutes
unlock_time = 15

# Path to the faillock database
# Optional: You can specify where to store faillock information
# faillock_path = /var/lib/faillock

Next, open the /etc/ssh/sshd_config file and enable the following setting to use PAM for SSH authentication.

UsePAM yes

To apply the changes, restart the SSH service:

sudo systemctl restart sshd

How to Test SSH Account Lockout Functionality

After saving the above configuration, you can test the login lockout mechanism by making 3 failed login attempts to the SSH server.

ssh [email protected]

[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Account locked due to 3 failed logins

How to Check User SSH Login Failures

To check the failed login attempts for a specific user, use the following command:

sudo faillock --user username

Example output:

Login           Failures  Latest failure     From
user                3     10/17/2024 14:15   192.168.0.5

How to Reset or Unlock a User Account

To reset the failed attempts and unlock the user account, use the following command:

sudo faillock --user username --reset

This command clears the failed attempt count and unlocks the user.

Verifying User Account is Unlocked

You can confirm that the account is unlocked by running the faillock command again:

sudo faillock --user username

If there are no failed login attempts, the output will be empty, indicating that the user account is unlocked.

Conclusion

In conclusion, the pam_faillock module provides an improved and more secure way to manage failed login attempts, replacing the now-deprecated pam_tally2. Make sure to update your PAM configuration files to use pam_faillock to stay current with best practices and security standards.

For more information, you can use the man pam_faillock from the command line.

man pam_faillock

Similar Posts