March 2024
M T W T F S S
 123
45678910
11121314151617
18192021222324
25262728293031

Categories

March 2024
M T W T F S S
 123
45678910
11121314151617
18192021222324
25262728293031

How to block ssh users after 3 failed login attempts using pam_tally2.so

ock user login after failed login attempts in Red Hat 6.x and CentOS 6.x

Earlier in RedHat based distro we used to setup pam_tally.so for locking the user login after some failed login attempts.

Now in Red Hat 6.x and CentOS 6.x we will use pam_tally2.so .

# cd /etc/pam.d
# cp -p password-auth-ac password-auth-ac.bak
# vi system-auth

note:password-auth is softlink of original file password-auth-ac . ls -la password-auth

Now add these two lines in password-auth-ac or password-auth

auth required pam_tally2.so deny=3 unlock_time=36000 audit

account required pam_tally2.so

Below is the sample of my system’s password-auth file.

[root@localhost ~]# cat /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth required pam_tally2.so deny=3 unlock_time=36000 audit
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account required pam_tally2.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
[root@localhost ~]#

By default the failed logs are saved in /var/log/tallylog

To see user’s no. of failed attempts,command is –

pam_tally2 -u username

To reset failed login log(like faillog -u username -r), use below command

pam_tally2 -u username –reset

To know what are the options you can use with pam_tally2.so .Read the file from below given path.

cat /usr/share/doc/pam-1.1.1/txts/README.pam_tally2

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>