CentOS Stream 10
Sponsored Link

Faillock : Count consecutive auth failures
2025/01/03
 

Count consecutive authentication failures and Lock users who are over the threshold.

[1] Configure PAM Faillock module.
# confirm current authentication settings

[root@dlp ~]#
authselect current 

Profile ID: local
Enabled features:
- with-fingerprint
- with-pwhistory
# enable Faillock

[root@dlp ~]#
authselect enable-feature with-faillock
[root@dlp ~]#
authselect current 

Profile ID: local
Enabled features:
- with-fingerprint
- with-pwhistory
- with-faillock
# pam_faillock is added in system-auth and password-auth

[root@dlp ~]#
grep -n faillock /etc/pam.d/system-auth 

8:auth        required                                     pam_faillock.so preauth silent
11:auth        required                                     pam_faillock.so authfail
14:account     required                                     pam_faillock.so
[root@dlp ~]#
grep -n faillock /etc/pam.d/password-auth 

8:auth        required                                     pam_faillock.so preauth silent
10:auth        required                                     pam_faillock.so authfail
13:account     required                                     pam_faillock.so
[root@dlp ~]#
vi /etc/security/faillock.conf 
# configure Faillock settings
# comment out following lines you'd like to enable and also change parameters if need

# line 10 : log the user name into the system log if the user is not found
# audit

# line 14 : do not print informative messages
# silent

# line 18 : do not log informative messages via syslog
# no_log_info

# line 27 : only track failed user authentications attempts for local users
# ignore centralized users like AD, Idm, LDAP and others
# local_users_only

# line 32 : deny access if the number of consecutive authentication failures
# deny = 3

# line 38 : length of the interval during which the consecutive auth failures must happen for the user account
# fail_interval = 900

# line 45 : access will be reenabled after N seconds after the lock out
# never reenabled automatically if set [unlock_time = 0]
# unlock_time = 600

# line 49 : root account can become locked as well as regular accounts
# even_deny_root

# line 55 : access of root will be reenabled after N seconds after the lock out if enabled [even_deny_root]
# root_unlock_time = 900

# line 62 : members of the group will be handled the same as [even_deny_root] + [root_unlock_time = N]
# admin_group = <admin_group_name>
[2] Display user accounts' failed login counts or unlock a locked account manually like follows.
# display failed login counts for a user

[root@dlp ~]#
faillock --user cent 

cent:
When                Type  Source                                           Valid
2025-01-03 09:47:27 TTY   /dev/ttyS0                                           V
2025-01-03 09:47:32 TTY   /dev/ttyS0                                           V
2025-01-03 09:47:37 TTY   /dev/ttyS0                                           V
# unlock a locked account manually

[root@dlp ~]#
faillock --user cent --reset
Matched Content