I cam across an interesting command – faillog

With faillog you can lock a user’s account after x number of failed log in attempts.

HOWEVER – it is not so straight forward – see man pam_tally

In order to enable this option you need to edit a few of the pam configuration files located in /etc/pam.d

What makes this confusing, as with sudo, THE ORDER OF RULES IS CRITICAL.

So, we can not just add a few lines at the bottom of the file, we need to add them in order

In particular, using any editor, open /etc/pam.d/common-auth and add the line AT THE TOP OF THE FILE:

auth required pam_tally.so per_user magic_root onerr=fail

Use the silent option if you do not want pam_tally to give error messages.

auth required pam_tally.so per_user magic_root onerr=fail silent

You may set the number of failed log in attempts and lock out time by either adding additional options to the above line or using faillog

sudo faillog -m 3

To unlock an account use

faillog -u login_name -r

Or set a time with the fail log command, the -l option sets the lock time.

faillog -m 3 -l 3600

Using faillog with ssh

Now to use this with ssh we need to also edit both /etc/pam.d/sshd and /etc/ssh/sshd_config

First, using any editor, open /etc/pam.d/sshd

Look for the line “@include common-auth” , we need to add auth required pam_tally.so per_user onerr=fail

auth required pam_tally.so per_user onerr=fail
@include common-auth

By adding this line before include common-auth we over ride the “magic_root” setting in common-auth.

Once a user is logged in, we need the magic_root option so that failed sudo attempts do not lock us out of root access. But because sshd runs as root, we need to over ride this option in /etc/pam.d/sshd – clear as mud ?

If it does not make sense, read the man pages, open a shell, and log in as root (so you do not loose root access), and test these options, see what happens when as your admin user you try sudo -i and ssh localhost.

Next, using any editor, open /etc/ssh/sshd_config

Change the “ChallengeResponseAuthentication no” to yes (in Ubuntu UsePAM yes was default).

ChallengeResponseAuthentication yes
UsePAM yes

If the pam_tally module locks your account, you will still be able to log in with ssh keys.

So it may be a good idea to make sure you have a working set of ssh keys before you enable this option 😉