Rocky_Linux_8
Sponsored Link

Faillock : Count consecutive auth failures
2021/08/26
 
Count consecutive authentication failures and Lock users who are over the threshold.
[1] Configure PAM Faillock module.
# confirm current authentication settings

[root@dlp ~]#
authselect current

Profile ID: sssd
Enabled features:
- with-fingerprint
- with-silent-lastlog

# enable Faillock

[root@dlp ~]#
authselect enable-feature with-faillock

Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.
[root@dlp ~]#
authselect current

Profile ID: sssd
Enabled features:
- with-fingerprint
- with-silent-lastlog
- with-faillock

# pam_faillock is added in system-auth and password-auth

[root@dlp ~]#
grep -n faillock /etc/pam.d/system-auth

 6:auth        required                                     pam_faillock.so preauth silent
13:auth        required                                     pam_faillock.so authfail
16:account     required                                     pam_faillock.so

[root@dlp ~]#
grep -n faillock /etc/pam.d/password-auth

 6:auth        required                                     pam_faillock.so preauth silent
12:auth        required                                     pam_faillock.so authfail
15:account     required                                     pam_faillock.so

[root@dlp ~]#
vi /etc/security/faillock.conf
# configure Faillock settings

# comment out following lines you'd like to enable and also change parameters if need
# line 10 : log the user name into the system log if the user is not found

# audit
# line 14 : do not print informative messages

# silent
# line 18 : do not log informative messages via syslog

# no_log_info
# line 27 : only track failed user authentications attempts for local users

# ignore centralized users like AD, Idm, LDAP and others

# local_users_only
# line 32 : deny access if the number of consecutive authentication failures

# deny = 3
# line 38 : length of the interval during which the consecutive auth failures must happen for the user account

# fail_interval = 900
# line 45 : access will be reenabled after N seconds after the lock out

# never reenabled automatically if set [unlock_time = 0]

# unlock_time = 600
# line 49 : root account can become locked as well as regular accounts

# even_deny_root
# line 55 : access of root will be reenabled after N seconds after the lock out if enabled [even_deny_root]

# root_unlock_time = 900
# line 62 : members of the group will be handled the same as [even_deny_root] + [root_unlock_time = N]

# admin_group = <admin_group_name>
[2] Display user accounts' failed login counts or unlock a locked account manually like follows.
# display failed login counts for a user

[root@dlp ~]#
faillock --user rocky

rocky:
When                Type  Source                                           Valid
2021-08-17 10:59:50 TTY   ttyS0                                                V
2021-08-17 10:59:54 TTY   ttyS0                                                V
2021-08-17 10:59:59 TTY   ttyS0                                                V

# unlock a locked account manually

[root@dlp ~]#
faillock --user rocky --reset
Matched Content