Locking accounts after a specific number of failed logins
About this task
The pam_tally module can be used to help improve security on the system by locking a user account after a given number of failed logins. Follow this procedure if you want to lock user accounts after a specific number of failed logins and have them automatically unlocked after a period of time. Do not use this procedure if you need to implement a US DOD Security Technical Implementation Guide (STIG) configuration. For more information on implementing a STIG configuration refer to
EMC VNX Using nas_stig Utility on VNX Technical Notes P/N 300-013-819.
Steps
There are two lines that must be added to specific places in the
/etc/pam.d/system-auth file to enable pam_tally. To restrict the user to <n> failed logins and unlock after <m> seconds add the line
auth required pam_tally.so per_user deny=<n> unlock_time=<m> onerr=fail after the line
auth required pam_env.so and add the line
account required pam_tally.so after the line
account required pam_unix.so.
Results
After the changes, the
/etc/pam.d/system-auth file should look similar to the following file restricting users to three logins with a one hour unlock time.