How to Secure SSH with pam_faillock: Lockout Failed Login Attempts

by admin 0 Comments

Linux
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

The pam_tally2 module, once used to lock user accounts after a certain number of failed SSH login attempts, has been deprecated and replaced by pam_faillock in RHEL-based distributions and other modern Linux distributions, due to more flexibility and security options.

Previously, the pam_tally2 module was responsible for counting failed login attempts and locking accounts. However, as part of security improvements, pam_faillock has become the standard for managing failed login attempts in newer Linux versions by providing better integration and more configuration options.

Transition from pam_tally2 to pam_faillock

While pam_tally2 consisted of two parts – pam_tally2.so and the pam_tally2 command – it has been phased out in favor of pam_faillock, which is designed to handle login attempts in a more secure and flexible way.

pam_faillock offers similar functionality but with improvements such as:

  • Enhanced logging and reporting of failed attempts.
  • Better handling of account lockout policies.
  • Support for configurable limits on failed login attempts and automatic account unlocking after a timeout.

This article demonstrates how to configure SSH account lockouts using the pam_faillock module after a certain number of failed login attempts.

How to Lock and Unlock User Accounts with pam_faillock

Open the both PAM configuration files /etc/pam.d/password-auth and /etc/pam.d/sshd, depending on your system and the service you’re configuring.

sudo vi /etc/pam.d/password-auth
sudo vi /etc/pam.d/sshd

Add the following lines to the beginning of the auth section to configure failed login attempt policies:

auth        required      pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=1200
auth        [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=1200

Add the following line to the account section to enable account management for login failures:

account     required      pam_faillock.so

Explanation of Parameters:

  • deny=3: Deny access after 3 failed attempts.
  • even_deny_root: Apply the policy to the root user as well.
  • unlock_time=1200: Automatically unlock the account after 20 minutes (1200 seconds). Remove this option if you want the account to remain locked until manually reset.
  • audit: Logs failed login attempts to the system audit log.

Now open the /etc/security/faillock.conf file and specify how many failed attempts will trigger a lockout and the duration of the lockout period.

# Number of allowed failures before lockout
deny = 5

# Lockout duration in minutes
unlock_time = 15

# Path to the faillock database
# Optional: You can specify where to store faillock information
# faillock_path = /var/lib/faillock

Next, open the /etc/ssh/sshd_config file and enable the following setting to use PAM for SSH authentication.

UsePAM yes

To apply the changes, restart the SSH service:

sudo systemctl restart sshd

How to Test SSH Account Lockout Functionality

After saving the above configuration, you can test the login lockout mechanism by making 3 failed login attempts to the SSH server.

ssh [email protected]

[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Account locked due to 3 failed logins

How to Check User SSH Login Failures

To check the failed login attempts for a specific user, use the following command:

sudo faillock --user username

Example output:

Login           Failures  Latest failure     From
user                3     10/17/2024 14:15   192.168.0.5

How to Reset or Unlock a User Account

To reset the failed attempts and unlock the user account, use the following command:

sudo faillock --user username --reset

This command clears the failed attempt count and unlocks the user.

Verifying User Account is Unlocked

You can confirm that the account is unlocked by running the faillock command again:

sudo faillock --user username

If there are no failed login attempts, the output will be empty, indicating that the user account is unlocked.

Conclusion

In conclusion, the pam_faillock module provides an improved and more secure way to manage failed login attempts, replacing the now-deprecated pam_tally2. Make sure to update your PAM configuration files to use pam_faillock to stay current with best practices and security standards.

For more information, you can use the man pam_faillock from the command line.

man pam_faillock
This article was originally published by Tecmint.com. Read the original article here.
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

Products You May Like

Articles You May Like

6 Tips for Breathtaking Church and Cathedral Photography
Realme GT 7 Pro Launch Confirmed for October; May Get a Large 6,500mAh Battery
Elon Musk’s X Gets Approval to Resume Service in Brazil After Bending to Top Court’s Demands
After iOS, WhatsApp Now Rolling Out Messenger-Like Chat-Specific Theme Support on Android
iOS 18.1 Developer Beta 7 Update for iPhone Rolls Out Ahead of Stable Release Later This Month

Leave a Reply

Your email address will not be published. Required fields are marked *