Faillock : Limit consecutive failed login2024/06/20 |
Count consecutive authentication failures and Lock users who are over the threshold. |
|
[1] | Configure PAM Faillock module. |
root@dlp:~#
vi /etc/pam.d/common-auth # line 17 : add lines like follows # here are the per-package modules (the "Primary" block) auth required pam_faillock.so preauth auth [success=1 default=ignore] pam_unix.so nullok auth [default=die] pam_faillock.so authfail auth sufficient pam_faillock.so authsucc # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) auth optional pam_cap.so # end of pam-auth-update config
root@dlp:~#
vi /etc/pam.d/common-account # line 17 : add a line like follows
# here are the per-package modules (the "Primary" block)
account required pam_faillock.so
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
root@dlp:~#
vi /etc/security/faillock.conf # configure Faillock settings
# comment out following lines you'd like to enable and also change parameters if need # line 10 : log the user name into the system log if the user is not found # audit # line 14 : do not print informative messages # silent # line 18 : do not log informative messages via syslog # no_log_info # line 27 : only track failed user authentications attempts for local users # ignore centralized users like AD, Idm, LDAP and others # local_users_only # line 32 : deny access if the number of consecutive authentication failures # deny = 3 # line 38 : length of the interval during which the consecutive auth failures must happen for the user account # fail_interval = 900 # line 45 : access will be re-enabled after N seconds after the lock out # never re-enabled automatically if set [unlock_time = 0] # unlock_time = 600 # line 49 : root account can become locked as well as regular accounts # even_deny_root # line 55 : access of root will be re-enabled after N seconds after the lock out if enabled [even_deny_root] # root_unlock_time = 900 # line 62 : members of the group will be handled the same as [even_deny_root] + [root_unlock_time = N] # admin_group = <admin_group_name> |
[2] | Display user accounts' failed login counts or unlock a locked account manually like follows. |
# display a list of failure counts without arguments root@dlp:~# faillock ubuntu: When Type Source Valid 2024-06-19 02:06:45 RHOST 127.0.0.1 V 2024-06-19 02:06:50 RHOST 127.0.0.1 V 2024-06-19 02:06:55 RHOST 127.0.0.1 V root: When Type Source Valid ubuntu: When Type Source Valid 2024-06-19 02:06:26 RHOST V 2024-06-19 02:06:31 RHOST V # display by specifying user root@dlp:~# faillock --user ubuntu ubuntu: When Type Source Valid 2024-06-19 02:06:45 RHOST 127.0.0.1 V 2024-06-19 02:06:50 RHOST 127.0.0.1 V 2024-06-19 02:06:55 RHOST 127.0.0.1 V # reset the failed attempts count for users root@dlp:~# faillock --user ubuntu --reset
|
Sponsored Link |