Faillock : Count consecutive auth failures

Faillock : Count consecutive auth failures

https://www.server-world.info/en/note?os=CentOS_Stream_8&p=pam&f=2

Count consecutive authentication failures and Lock users who are over the threshold. [1] Configure PAM Faillock module.

confirm current authentication settings

[root@dlp ~]# authselect current

Profile ID: sssd Enabled features:

• with-fingerprint
• with-silent-lastlog

enable Faillock

[root@dlp ~]# authselect enable-feature with-faillock

Make sure that SSSD service is configured and enabled. See SSSD documentation for more information. [root@dlp ~]# authselect current

Profile ID: sssd Enabled features:

• with-fingerprint
• with-silent-lastlog
• with-faillock

pam_faillock is added in system-auth and password-auth

[root@dlp ~]# grep -n faillock /etc/pam.d/system-auth

6:auth required pam_faillock.so preauth silent 13:auth required pam_faillock.so authfail 16:account required pam_faillock.so

[root@dlp ~]# grep -n faillock /etc/pam.d/password-auth

6:auth required pam_faillock.so preauth silent 12:auth required pam_faillock.so authfail 15:account required pam_faillock.so

[root@dlp ~]# vi /etc/security/faillock.conf

configure Faillock settings

comment out following lines you’d like to enable and also change parameters if need

line 10 : log the user name into the system log if the user is not found

audit

line 14 : do not print informative messages

silent

line 18 : do not log informative messages via syslog

no_log_info

line 27 : only track failed user authentications attempts for local users

ignore centralised users like AD, Idm, LDAP and others

local_users_only

line 32 : deny access if the number of consecutive authentication failures

deny = 3

line 38 : length of the interval during which the consecutive auth failures must happen for the user account

fail_interval = 900

line 45 : access will be reenabled after N seconds after the lock out

never reenabled automatically if set [unlock_time = 0]

unlock_time = 600

line 48 : root account can become locked as well as regular accounts

even_deny_root

line 54 : access of root will be reenabled after N seconds after the lock out if enabled [even_deny_root]

root_unlock_time = 900

line 61 : members of the group will be handled the same as [even_deny_root] + [root_unlock_time = N]

admin_group =

[2] Display user accounts’ failed login counts or unlock a locked account manually like follows.

display failed login counts for a user

[root@dlp ~]# faillock –user cent

cent: When Type Source Valid 2021-03-07 10:59:50 TTY ttyS0 V 2021-03-07 10:59:54 TTY ttyS0 V 2021-03-07 10:59:59 TTY ttyS0 V

unlock a locked account manually

[root@dlp ~]# faillock –user cent –reset