Lock Out Account After 3 Failures

Home » CentOS » Lock Out Account After 3 Failures
CentOS 3 Comments

I’m looking to configure a CentOS 7 server to lock out anaccount after 3 login failures.

I’ve followed this

 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-Security_Guide-Securing_Your_Network.html#sect-Security_Guide-Workstation_Security-Administrative_Controls

 

Section2.1.9.5 Account Locking

 
And even rebooted the serverbut it doesn’t lock my test account out.

login as: test

test@X’s password:

Access denied

test@X’s password:

Access denied

test@X’s password:

Access denied

test@X’s password:

Access denied

test@X’s password:

Last failed login: Wed Mar 15 15:44:37 GMT 2017 fromXXXXXX on ssh:notty

There were 4 failed login attempts since the lastsuccessful login.

Last login: Wed Mar 15 15:14:05 2017 from YYYYYYYYYYYYY

[test]$

 
Meanwhile the secure log also shows

Mar 15 15:44:27 testbox sshd[4051]: pam_unix(sshd:auth): authenticationfailure; logname= uid=0 euid=0 tty=ssh ruser= rhost=YYYYYYYY  user=test

Mar 15 15:44:29 testbox sshd[4051]: Failed password fortest from X port 57118 ssh2

Mar 15 15:44:29 testbox sshd[4051]: Failed password fortest from X port 57118 ssh2

Mar 15 15:44:33 testbox sshd[4051]: Failed password fortest from X port 57118 ssh2

Mar 15 15:44:35 testbox sshd[4051]:pam_faillock(sshd:auth): Consecutive login failures for user test accounttemporarily locked

Mar 15 15:44:37 testbox sshd[4051]: Failed password fortest from X port 57118 ssh2

Mar 15 15:44:44 testbox sshd[4051]: Accepted password fortest from X port 57118 ssh2

Mar 15 15:44:44 testbox sshd[4051]:pam_unix(sshd:session): session opened for user test by (uid=0)

 
Ie  I can deliberately mangle the password three times,secure log shows the account has been locked out, but then I can immediatelystill log in.

 

 

 

 

Has anybody a link to a configuration that works?cheers

 
ian

3 thoughts on - Lock Out Account After 3 Failures

  • We use pam_tally2 for this, and it works well. There is a pam_tally2
    executable that you can run to look at what accounts are locked and how many failures, as well as reset the lockout.


    Jonathan Billings

  • HI all – its sorted. what I found is imperative is that the tally2 line MUST be the secoind lne in the system-auth and password-auth files, after the “env.so” line all good ian

    From: Gordon Messmer
    To: CentOS mailing list
    Sent: Friday, 17 March 2017, 17:15
    Subject: Re: [CentOS] lock out account after 3 failures

    Can you send the /etc/pam.d/system-auth that you used for your test?

LEAVE A COMMENT