linux attempts to lock down a user account after a failed login attempt

  • 2020-06-07 05:57:20
  • OfStack

This article mainly introduces the relevant content of locking user account after linux failed to log in, and shares it for your reference and study. Let's start with a detailed introduction.

pam_tally2 module (Method 1)

Lock the user account after a failed ssh login attempt to the system. This module holds the count of attempted access and too many failed attempts.


use /etc/pam.d/system-auth or etc/pam.d/password-auth Profile to configure login attempts for access

auth required deny=3 unlock_time=600
account required


auth should be placed in line 2, otherwise the user will be able to log in after more than three times.

Add after auth if root is applicable even_deny_root .

auth required deny=3 even_deny_root unlock_time=600

pam_tally2 command

View user logon failure information

pam_tally2 -u test
Login  Failures Latest failure From
test  1 06/20/17 14:18:19

Unlock the user

pam_tally2 -u test -r

pam_faillock module (Method 2)

In Red Hat Enterprise Linux 6, pam_faillock PAM The module allows the system administrator to lock user accounts that fail to log in within a specified number of times. Limiting the number of login attempts by users is primarily a security measure intended to prevent possible brute force hacks aimed at obtaining users' account passwords

through pam_faillock Module to store the failed login attempt data in a separate file for each user under the /var/run/faillock directory


Add the following command line to /etc/pam.d/system-auth Files and /etc/pam.d/password-auth Corresponding section in the file:

auth  required preauth silent audit deny=3 unlock_time=600
auth  sufficient nullok try_first_pass
auth  [default=die] authfail audit deny=3
account  required


auth required preauth silent audit deny=3 It has to be at the front.

For root in pam_faillock Add to the entry even_deny_root options

faillock command

See the number of failed attempts per user

$ faillock
When    Type Source           Valid
2017-06-20 14:29:05 RHOST           V
2017-06-20 14:29:14 RHOST           V
2017-06-20 14:29:17 RHOST           V

Unlock 1 user's account

faillock --user <username> --reset


Related articles: