pam_tally2 command – lock & unlock ssh failed logins in linux
Overview:
pam_tally2 command is used to lock and unlock ssh failed logins in linux like operating system. To implment a security feature like a user’s account must be locked after a number of failed login attempts . We can achieve this security via pam module called pam_tally2. This module can display user’s login attempts,set counts on individual basis, unlock all user counts.
pam_tally2 comes in two parts: pam_tally2.so and pam_tally2. The former is the PAM module and the latter, a stand-alone program. pam_tally2 is an application which can be used to interrogate and manipulate the counter file
In this article we will discuss how to lock and unlock user’s account after reaching a fixed number of failed ssh attempts in RHEL 6.X / CentOS 6.X
By default pam_tally2 module is already installed in linux. To set the lock and unlock rules, edit the two files : ‘/etc/pam.d/system-auth‘ & ‘/etc/pam.d/password-auth‘ and add the below line at the starting of auth section in both the files
auth required pam_tally2.so file=/var/log/tallylog deny=3 even_deny_root unlock_time=120
And then add the below line in the account Section in both the files
account required pam_tally2.so
Sample File of /etc/pam.d/system-auth
Sample File of /etc/pam.d/password-auth
whereas :
- file=/var/log/tallylog – Default log file whic keep login counts.
- deny=3 – Deny access after 3 attempts and lock down user.
- even_deny_root – Policy is also apply to root user.
- unlock_time=1200 – Account will be locked till 20 Min after that it will be unlocked
Now Try to Login linux box with incorrect password :
Now check user’s login attempts using pam_tally2 Command
[root@localhost ~]# pam_tally2 -u nextstep4it Login Failures Latest failure From nextstep4it 3 06/14/14 02:01:25 192.168.1.8
Now reset or unlock user’s account’s using pam_tally2 command :
[root@localhost ~]# pam_tally2 --user nextstep4it --reset Login Failures Latest failure From nextstep4it 4 06/14/14 02:20:42 192.168.1.8
Now Verify the login Attempt is reset or not
[root@localhost ~]# pam_tally2 --user nextstep4it Login Failures Latest failure From nextstep4it 0
if unlock_time is not mentioned what happened?
Dear Writer,
Thank you very much. I pained Google many times. but Luckily, your site having the solution.
Really looking forward to going deep down in free time
Best Regards,
Nuwan Arambage
Thank you for your great post. Would you please explain, why we need to enter the line “account required pam_tally2.so”