Debian 12 bookworm
Sponsored Link

Faillock : Limit consecutive failed login2024/06/20

 

Count consecutive authentication failures and Lock users who are over the threshold.

[1] Configure PAM Faillock module.
root@dlp:~#
vi /etc/pam.d/common-auth
# line 17 : add lines like follows

# here are the per-package modules (the "Primary" block)
auth    required                        pam_faillock.so preauth
auth    [success=1 default=ignore]      pam_unix.so nullok
auth    [default=die]                   pam_faillock.so authfail
auth    sufficient                      pam_faillock.so authsucc
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth    optional                        pam_cap.so
# end of pam-auth-update config

root@dlp:~#
vi /etc/pam.d/common-account
# line 17 : add a line like follows

# here are the per-package modules (the "Primary" block)
account required                        pam_faillock.so
account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so
# here's the fallback if no module succeeds
account requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)

root@dlp:~#
vi /etc/security/faillock.conf
# configure Faillock settings
# comment out following lines you'd like to enable and also change parameters if need
# line 10 : log the user name into the system log if the user is not found

# audit
# line 14 : do not print informative messages

# silent
# line 18 : do not log informative messages via syslog

# no_log_info
# line 27 : only track failed user authentications attempts for local users
# ignore centralized users like AD, Idm, LDAP and others

# local_users_only
# line 32 : deny access if the number of consecutive authentication failures

# deny = 3
# line 38 : length of the interval during which the consecutive auth failures must happen for the user account

# fail_interval = 900
# line 45 : access will be re-enabled after N seconds after the lock out
# never re-enabled automatically if set [unlock_time = 0]

# unlock_time = 600
# line 49 : root account can become locked as well as regular accounts

# even_deny_root
# line 55 : access of root will be re-enabled after N seconds after the lock out if enabled [even_deny_root]

# root_unlock_time = 900
# line 62 : members of the group will be handled the same as [even_deny_root] + [root_unlock_time = N]

# admin_group = <admin_group_name>
[2] Display user accounts' failed login counts or unlock a locked account manually like follows.
# display a list of failure counts without arguments

root@dlp:~#
faillock

debian:
When                Type  Source                                           Valid
2024-06-19 02:06:45 RHOST 127.0.0.1                                            V
2024-06-19 02:06:50 RHOST 127.0.0.1                                            V
2024-06-19 02:06:55 RHOST 127.0.0.1                                            V
root:
When                Type  Source                                           Valid
debian:
When                Type  Source                                           Valid
2024-06-19 02:06:26 RHOST                                                      V
2024-06-19 02:06:31 RHOST                                                      V

# display by specifying user

root@dlp:~#
faillock --user debian

debian:
When                Type  Source                                           Valid
2024-06-19 02:06:45 RHOST 127.0.0.1                                            V
2024-06-19 02:06:50 RHOST 127.0.0.1                                            V
2024-06-19 02:06:55 RHOST 127.0.0.1                                            V

# reset the failed attempts count for users

root@dlp:~#
faillock --user debian --reset
Matched Content