I cam across an interesting command – faillog
With faillog you can lock a user’s account after x number of failed log in attempts.
HOWEVER – it is not so straight forward – see man pam_tally
In order to enable this option you need to edit a few of the pam configuration files located in /etc/pam.d
What makes this confusing, as with sudo, THE ORDER OF RULES IS CRITICAL.
So, we can not just add a few lines at the bottom of the file, we need to add them in order
In particular, using any editor, open /etc/pam.d/common-auth and add the line AT THE TOP OF THE FILE:
auth required pam_tally.so per_user magic_root onerr=fail
Use the silent option if you do not want pam_tally to give error messages.
auth required pam_tally.so per_user magic_root onerr=fail silent
You may set the number of failed log in attempts and lock out time by either adding additional options to the above line or using faillog
sudo faillog -m 3
To unlock an account use
faillog -u login_name -r
Or set a time with the fail log command, the -l option sets the lock time.
faillog -m 3 -l 3600
Using faillog with ssh
Now to use this with ssh we need to also edit both /etc/pam.d/sshd and /etc/ssh/sshd_config
First, using any editor, open /etc/pam.d/sshd
Look for the line “@include common-auth” , we need to add auth required pam_tally.so per_user onerr=fail
auth required pam_tally.so per_user onerr=fail
By adding this line before include common-auth we over ride the “magic_root” setting in common-auth.
Once a user is logged in, we need the magic_root option so that failed sudo attempts do not lock us out of root access. But because sshd runs as root, we need to over ride this option in /etc/pam.d/sshd – clear as mud ?
If it does not make sense, read the man pages, open a shell, and log in as root (so you do not loose root access), and test these options, see what happens when as your admin user you try sudo -i and ssh localhost.
Next, using any editor, open /etc/ssh/sshd_config
Change the “ChallengeResponseAuthentication no” to yes (in Ubuntu UsePAM yes was default).
If the pam_tally module locks your account, you will still be able to log in with ssh keys.
So it may be a good idea to make sure you have a working set of ssh keys before you enable this option 😉