«
»
16

Mar

RHEL 5 Failed Login Locks

Posted by packetmad as Daemons, Linux, OS, ssh

In /etc/pam.d/system-auth:

auth required pam_env.so
auth required pam_tally.so onerr=fail deny=3 <-- Need tally to record failures
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_tally.so reset <-- Same as above
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

Then you need to run a couple commands to active everything.

Set lock out at 3 failed login attempts:
faillog -m 3

Exclude root from this lockout mechanism:
faillog -u root -m 0

To enforce failed login lockout after adding a user:
faillog -u {username} -m 3

If a user should fail to login 3 times, you must reset their tally before they will be able to login again:
faillog -u {username} -r

Set a new user’s failed login limit:
faillog -u {username} -m {number}

In sshd_config you can set MaxAuthTries to your lockout number -1 if desired.

Share and Enjoy:
  • Digg
  • del.icio.us
  • FriendFeed
  • Google Bookmarks
  • RSS
  • Twitter
  • Facebook
  • Live
  • MySpace
  • Slashdot
  • Technorati
  • Reddit
2 Comments »

2 comments so far

Mike says February 16th, 2010 at 4:44 pm

RHEL 5.3 pam_tally.so not resetting failed logins

I still can’t get my configuration working with openssh and pam_tally. I have it locking ok, but it will not reset on successful login. The latest version does not have the “reset” option as above, and instead should do it by default, and only has a “no_reset” option.
Worse, when a user logs in successfully, it increments the failed attempts each time! So even with successful logins they user will eventually be locked out!

coolhandluke says June 2nd, 2010 at 10:57 am

[SOLVED] pam_tally.so not reseting failed logins

On a RHEL5.3 box I have my /etc/pam.d/system-auth file just like yours above, however even when a user, say usera, logs in successfully via ssh, faillog shows an incremented login failure count.
However if I login with another user, say userb (which will now have a failed login attempt even though login was successful just like usera above), and then su to usera, faillog will clear out any and all failed login attempts for usera.
It appears su will reset the account after a successful login attempt while using ssh does not. Any suggestions for getting ssh to interact with pam_tally successfully?
[SOLVED]
Not using openssh. Using Reflections for Secure IT SSH. Either it doesnt work properly with pam_tally.so or I have not configured it correctly. However the sytem-auth file provided works with openssh.

Leave a Comment:

Name (required)
Mail (will not be published) (required)
Website
Message