You can configure the above functionality in the /etc/pam.d/system-auth and /etc/pam.d/password-auth files, by adding the entries below to the auth section.
auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600
auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600
auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600
- audit – enables user auditing.
- deny – used to define the number of attempts (3 in this case), after which the user account should be locked.
- unlock_time – sets the time (300 seconds = 5 minutes) for which the account should remain locked.
The auth section in both files should have the content below arranged in this order:
auth required pam_env.so
auth required pam_faillock.so preauth silent audit deny=3 unlock_time=300
auth sufficient pam_unix.so nullok try_first_pass
auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=300
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
Then add the following highlighted entry to the account section
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
account required pam_faillock.so
How to View Failed Authentication Attempts
You can see all failed authentication logs using the faillock utility, which is used to display and modify the authentication failure log.
[root@dfn-qsd-pri ~]# faillock --user user1
To view all unsuccessful login attempts, run faillock without any argument like so:
[root@dfn-qsd-pri ~]# faillock
To clear a user’s authentication failure logs, run this command.
[root@dfn-qsd-pri ~]# faillock --user user1 --reset
No comments:
Post a Comment