Faillock : Count consecutive auth failures2021/08/26 |
Count consecutive authentication failures and Lock users who are over the threshold.
|
|
[1] | Configure PAM Faillock module. |
# confirm current authentication settings [root@dlp ~]# authselect current Profile ID: sssd Enabled features: - with-fingerprint - with-silent-lastlog # enable Faillock [root@dlp ~]# authselect enable-feature with-faillock Make sure that SSSD service is configured and enabled. See SSSD documentation for more information. authselect current Profile ID: sssd Enabled features: - with-fingerprint - with-silent-lastlog - with-faillock # pam_faillock is added in system-auth and password-auth [root@dlp ~]# grep -n faillock /etc/pam.d/system-auth 6:auth required pam_faillock.so preauth silent 13:auth required pam_faillock.so authfail 16:account required pam_faillock.so[root@dlp ~]# grep -n faillock /etc/pam.d/password-auth 6:auth required pam_faillock.so preauth silent 12:auth required pam_faillock.so authfail 15:account required pam_faillock.so
[root@dlp ~]#
vi /etc/security/faillock.conf # configure Faillock settings # comment out following lines you'd like to enable and also change parameters if need
# line 10 : log the user name into the system log if the user is not found # audit # line 14 : do not print informative messages # silent # line 18 : do not log informative messages via syslog # no_log_info # line 27 : only track failed user authentications attempts for local users # ignore centralized users like AD, Idm, LDAP and others # local_users_only # line 32 : deny access if the number of consecutive authentication failures # deny = 3 # line 38 : length of the interval during which the consecutive auth failures must happen for the user account # fail_interval = 900 # line 45 : access will be reenabled after N seconds after the lock out # never reenabled automatically if set [unlock_time = 0] # unlock_time = 600 # line 49 : root account can become locked as well as regular accounts # even_deny_root # line 55 : access of root will be reenabled after N seconds after the lock out if enabled [even_deny_root] # root_unlock_time = 900 # line 62 : members of the group will be handled the same as [even_deny_root] + [root_unlock_time = N] # admin_group = <admin_group_name> |
[2] | Display user accounts' failed login counts or unlock a locked account manually like follows. |
# display failed login counts for a user [root@dlp ~]# faillock --user rocky rocky: When Type Source Valid 2021-08-17 10:59:50 TTY ttyS0 V 2021-08-17 10:59:54 TTY ttyS0 V 2021-08-17 10:59:59 TTY ttyS0 V # unlock a locked account manually [root@dlp ~]# faillock --user rocky --reset
|
Sponsored Link |