Red Hat Security: Linux in Physical, Virtual, and Cloud

Bookmark this page
P123456789101112
PreviousNext

Limiting Access after Failed Logins

Objectives

  • Implement account locking after a specified number of failed logins.

Locking Accounts with Multiple Failed Logins

Many security policies have requirements for locking user accounts after multiple failed login attempts. You can use the PAM pam_faillock module to implement this requirement. The pam_faillock module can lock accounts after a specific number of failed login attempts, and it can automatically unlock these accounts after a predefined period. You can use the faillock command, from the pam package, to view a report of failed login attempts or to reset a user's failed attempts.

Note

The pam_faillock module was added in Red Hat Enterprise Linux 6.1, alongside the existing pam_tally2 module. The pam_faillock module provides extra functions. For example, the pam_faillock module also controls failed login attempts on local screen savers. The authselect tool can configure the pam_faillock module, but not the pam_tally2 module.

Consider the risk of denial-of-service attacks when enabling the pam_faillock module. A malicious user can lock an account by intentionally entering incorrect passwords. The legitimate user is then denied access to their account during the lock period.

PAM also provides the pam_access module to restrict users and groups. You can enable the pam_access module by including the with-pamaccess feature when selecting an authselect profile. To configure the pam_access module, edit the /etc/security/access.conf configuration file. For more information about the pam_access module, see the pam_access(8) and access.conf(5) man pages.

Enabling the pam_faillock Module

To enable the pam_faillock module, use the authselect tool to select your security profile and add the with-faillock option. The following example enables the pam_faillock module with the mimimal security profile:

[root@host ~]# authselect select minimal with-faillock --force
Backup stored at /var/lib/authselect/backups/2023-10-09-17-32-43.Jr656T
Profile "minimal" was selected.
The following nsswitch maps are overwritten by the profile:
- aliases
- automount
- ethers
- group
- hosts
- initgroups
- netgroup
- networks
- passwd
- protocols
- publickey
- rpc
- services
- shadow

Configuring the pam_faillock Module

You can configure the pam_faillock module by editing the /etc/security/faillock.conf configuration file. The file contains descriptions of each option, along with the default value.

dir

This string configures the directory with the user files with the failure records.

audit

This Boolean enables logging of user names if the user is not found.

silent

This Boolean disables the printing of informative messages.

no_log_info

This Boolean disables the logging of informative messages in the Syslog file.

local_users_only

This Boolean configures the pam_faillock module to ignore users that are not in the /etc/passwd file. This option is useful if your environment already locks users in LDAP or other identity management servers.

deny

This integer configures the number of allowed consecutive authentication failures within the interval before a user is locked.

fail_interval

This integer configures the number of seconds that authentication failures are measured within.

unlock_time

This integer configures the number of seconds that a user is locked for.

even_deny_root

This Boolean enables locking for the root user.

root_unlock_time

This integer configures the number of seconds that the root user is locked for. If this option is not specified, then the value defaults to match the unlock_time option.

admin_group

This string configures a group that follows the configuration for the root user.

Warning

If you configure the pam_faillock module to apply to the root user by using the even_deny_root option, then an attacker might be able to purposefully lock your root user in a denial-of-service attack.

Ensure that you at least have an alternative way to unlock the root user if you enable the even_deny_root option.

Managing Locked Accounts

You can list failed login attempts with the faillock command.

[root@host ~]# faillock
user1:
When                Type  Source               Valid
2023-07-14 11:46:35 RHOST 10.1.2.12                V
2023-07-14 11:46:31 RHOST 10.1.2.12                V
2023-07-14 11:46:44 RHOST 10.1.2.12                V
user2:
When                Type  Source               Valid
2023-07-14 11:48:01 TTY   tty2                     V
2023-07-14 11:48:31 TTY   tty2                     V
2023-07-14 11:48:37 TTY   tty2                     V
root:
When                Type  Source               Valid

The --user option restricts the output to a specific account.

[root@host ~]# faillock --user user1
user1:
When                Type  Source               Valid
2023-07-14 11:46:31 RHOST 10.1.2.12                V
2023-07-14 11:46:44 RHOST 10.1.2.12                V
2023-07-14 11:46:35 RHOST 10.1.2.12                V

The Type column indicates the source of the connection: RHOST for remote connections, such as SSH, or TTY for console connections. The Source column gives the origin of the connection: hostname, IP address, or TTY. The Valid column indicates whether the record is still valid (V) or not (I).

The --reset option removes the failure records for a user. As a side effect, this option also unlocks the account if it was locked.

[root@host ~]# faillock --user user1 --reset
[root@host ~]# faillock --user user1
user1:
When                Type  Source               Valid
[root@host ~]#

References

The faillock.conf(5), pam_faillock(8), faillock(8), pam_access(8), and access.conf(5) man pages

For more information, refer to the What Is pam_faillock and How to Use It in Red Hat Enterprise Linux 8 & 9? article at https://access.redhat.com/solutions/62949

PreviousNext
Revision: rh415-9.2-a821299