The pam_faillock module performs a function similar to pam_tally and pam_tally2 but with more options and flexibility. The pam_faillock module supports temporary locking of user accounts in the event of multiple failed authentication attempts. This new module improves functionality over the existing pam_tally2 module, as it also allows temporary locking when the authentication attempts are done over a screensaver.
We will use pam_faillock to lock user account after certain number of defined failed login attempts. Then we will use faillock binary command to unlock the user by resetting the failed login counter.
Introduction to pam_faillock module
pam_faillockis a part of Linux-PAM (Pluggable Authentication Modules for Linux) which is a suite of shared libraries that controls authentication of users for applications such as login, ssh, su, and others.- This module maintains a list of failed authentication attempts per user during a specified interval and locks the account in case there were more than deny consecutive failed authentications.
pam_faillockcomes in two parts:pam_faillock.soandfaillock. The former is the PAM module and the latter, a stand-alone program- Linux locates the PAM configuration files in the
/etc/pam.ddirectory. Configuration files for services such as login, ssh, and others are located here.
For example, here is a sample output from /etc/pam.d/crond
The records in a PAM configuration file have a specific syntax. That syntax is as follows:
TYPE CONTROL-FLAG PAM-MODULE [MODULE-OPTIONS]
The first column contains TYPE, sometimes called a context or module interface, designates a particular PAM service type. The four PAM service types are:
- account: Implements account validation services, such as enforcing time of day restrictions as well as determining if the account has expired
- auth: Provides account authentication management services, such as asking for a password and verifying that the password is correct
- password: Manages account passwords, such as enforcing minimum password lengths and limiting incorrect password entry attempts
- session: Provides authenticated account session management for session start and session end, such as logging when the session began and ended as well as mounting the account’s home directory, if needed
The second column refers to the CONTROL-FLAG. Here are lists of various control flags and their responses or actions:
- include: Adds status codes and response ratings from the designated PAM configuration files into the final status.
- optional: Conditionally adds the module’s status code to the final status. If this is the only record for the PAM service type, it is included. If not, the status code is ignored.
- requisite: If the module returns a fail status code, a final fail status is immediately returned to the application without running the rest of the modules within the configuration file.
- required: If the module returns a fail status code, a final fail status will be returned to the application, but only after the rest of the modules within the configuration file run.
- substack: Forces the included configuration files of a particular type to act together returning a single status code to the main module stack.
- sufficient: If the module returns a success status code and no preceding stack modules have returned a fail status code, a final success status is immediately returned to the application without running the rest of the modules within the configuration file. If the module returns a fail status code, it is ignored.
The third column i.e. PAM-MODULE portion of the /etc/pam.d/ configuration file record is simply the file name of the module that will be doing the work. For example, pam_access.so is shown in the /etc/pam.d/crond configuration file above which is mainly used for access management.
A designated PAM-MODULE is called in the order it is listed within the PAM configuration file. This is called the module stack. Each PAM-MODULE returns a status code, which is handled via the record’s CONTROL-FLAG setting.
Check for pam_faillock availability
Before you go ahead and start using this module in /etc/pam.d and lock yourself out, it is important to make sure this module is loaded by PAM. Check the content of pam rpm:
~]# rpm -ql pam | grep faillock /etc/security/faillock.conf /usr/lib64/security/pam_faillock.so /usr/sbin/faillock /usr/share/doc/pam/txts/README.pam_faillock /usr/share/man/man5/faillock.conf.5.gz /usr/share/man/man8/faillock.8.gz /usr/share/man/man8/pam_faillock.8.gz /var/run/faillock
So the PAM rpm contains the pam_faillock.so module and faillock binary command.
Pre-requisite - PAM configuration file
We must make the changes to following two configuration files to lock any type of user account after X number of failed login attempts:
/etc/pam.d/system-auth /etc/pam.d/password-auth
pam_faillock syntax
The syntax to be used with pam_faillock.so module:
auth ... pam_faillock.so {preauth|authfail|authsucc} [dir=/path/to/tally-directory] [even_deny_root] [deny=n] [fail_interval=n] [unlock_time=n] [root_unlock_time=n] [admin_group=name] [audit] [silent] [no_log_info]
account ... pam_faillock.so [dir=/path/to/tally-directory] [no_log_info]
Here from the man page of pam_faillock,
{preauth|authfail|authsucc} This argument must be set accordingly to the position of this module instance in the PAM stack. The preauth argument must be used when the module is called before the modules which ask for the user credentials such as the password. The module just examines whether the user should be blocked from accessing the service in case there were anomalous number of failed consecutive authentication attempts recently. This call is optional if authsucc is used. The authfail argument must be used when the module is called after the modules which determine the authentication outcome, failed. Unless the user is already blocked due to previous authentication failures, the module will record the failure into the appropriate user tally file. The authsucc argument must be used when the module is called after the modules which determine the authentication outcome, succeeded. Unless the user is already blocked due to previous authentication failures, the module will then clear the record of the failures in the respective user tally file. Otherwise it will return authentication error. If this call is not done, the pam_faillock will not distinguish between consecutive and non-consecutive failed authentication attempts. The preauth call must be used in such case. Due to complications in the way the PAM stack can be configured it is also possible to call pam_faillock as an account module. In such configuration the module must be also called in the preauth stage. fail_interval=n The length of the interval during which the consecutive authentication failures must happen for the user account lock out is n seconds. The default is 900 (15 minutes). unlock_time=n The access will be reenabled after n seconds after the lock out. The default is 600 (10 minutes). If the n is set to never or 0 the access will not be reenabled at all until administrator explicitly reenables it with the faillock command. Note though that the default directory that pam_faillock uses is usually cleared on system boot so the access will be also reenabled after system reboot. If that is undesirable a different tally directory must be set with the dir option. Also note that it is usually undesirable to permanently lock out the users as they can become easily a target of denial of service attack unless the usernames are random and kept secret to potential attackers. even_deny_root Root account can become locked as well as regular accounts. root_unlock_time=n This option implies even_deny_root option. Allow access after n seconds to root account after the account is locked. In case the option is not specified the value is the same as of the unlock_time option. audit Will log the user name into the system log if the user is not found. silent Don't print informative messages. This option is implicite in the authfail and authsucc functions.
Method-1: Lock user account after failed login attempts by manually updating pam.d configuration files
This method is not recommended. We know that the configuration change must be done inside /etc/pam.d/system-auth and /etc/pam.d/password-auth. Following configuration syntax is required to lock a user after 3 failed login attempts.
auth required pam_faillock.so preauth silent deny=3 unlock_time=600
auth required pam_faillock.so authfail deny=3 unlock_time=600
account required pam_faillock.so
Following is a sample content of /etc/pam.d/system-auth (output trimmed):
Following is a sample content of /etc/pam.d/password-auth (output trimmed):
The sequence of the lines in the files (/etc/pam.d/system-auth and /etc/pam.d/password-auth) are important and any change in sequence may result in the locking all user accounts including root user when you are using even_deny_root option.
Method-2: Lock user account after failed login attempts using authconfig command line
If your Linux server supports pam_faillock then you can use authconfig to enable or disable this feature. In RHEL/CentOS 6 and 7, authconfig-6.2.8-19 and above supports pam_faillock.
To enable faillock and lock user account after 3 failed passwords (executed on CentOS 7):
~]# authconfig --enablefaillock --faillockargs="deny=3 unlock_time=600" --update
Verify if faillock is enabled properly:
~]# grep -i faillock /etc/sysconfig/authconfig
FAILLOCKARGS="deny=3 unlock_time=600"
USEFAILLOCK=yes
You can also see that the configuration has been automatically added into /etc/pam.d/system-auth and /etc/pam.d/password-auth
~]# grep -Ei faillock /etc/pam.d/{system-auth,password-auth}
/etc/pam.d/system-auth:auth required pam_faillock.so preauth silent deny=3 unlock_time=600
/etc/pam.d/system-auth:auth required pam_faillock.so authfail deny=3 unlock_time=600
/etc/pam.d/system-auth:account required pam_faillock.so
/etc/pam.d/password-auth:auth required pam_faillock.so preauth silent deny=3 unlock_time=600
/etc/pam.d/password-auth:account required pam_faillock.so
/etc/pam.d/password-auth:auth required pam_faillock.so authfail deny=3 unlock_time=600
So you don't have to worry about the line numbers, authconfig will take care of the order in which these lines must be inserted,
To disable faillock you can simply execute:
~]# authconfig --disablefaillock --update
Method-3: Lock user account after failed login attempts using authselect
authselect is the replacement of authconfig in RHEL/CentOS 8. You can enable faillock module by simply executing:
~]# authselect enable-feature with-faillock
Next you can configure faillock using /etc/security/faillock.conf:
~]# grep -vE '^#|^$' /etc/security/faillock.conf silent deny = 3 unlock_time = 600
To disable this feature, simply execute:
~]# authselect disable-feature with-faillock
Verify pam_faillock configuration
Now that we have configured account lock out after 3 failed password attempts, let's verify the same for user1:
Apr 12 23:50:41 server-2 sshd[120425]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.2.2 user=user1 Apr 12 23:50:43 server-2 sshd[120425]: Failed password for user1 from 10.0.2.2 port 51995 ssh2 <-- First attempt with incorrect password Apr 12 23:50:47 server-2 sshd[120425]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.2.2 user=user1 Apr 12 23:50:49 server-2 sshd[120425]: Failed password for user1 from 10.0.2.2 port 51995 ssh2 <-- Second attempt with incorrect password Apr 12 23:50:54 server-2 sshd[120425]: pam_faillock(sshd:auth): Consecutive login failures for user user1 account temporarily locked Apr 12 23:50:56 server-2 sshd[120425]: Failed password for user1 from 10.0.2.2 port 51995 ssh2 <-- Third attempt with incorrect password (Account locked by pam_faillock)
To list the failed login counters use:
To unlock the user immediately, you just need to reset the failed login counters:
~]# faillock --reset --user user1
Summary
This pam_faillock module maintains a list of failed authentication attempts per user during a specified interval and locks the account in case there were more than deny consecutive failed authentications. The setup of pam_faillock in the PAM stack is different from the pam_tally2 module setup. Normally, failed attempts to authenticate root will not cause the root account to become blocked, to prevent denial-of-service. It is not recommended to modify the pam.d configuration files manually,the /etc/security/faillock.conf should be used instead.
Further Readings
What is pam_faillock and how to use it in Red Hat Enterprise Linux?
pam_tally2 and faillock
How to lock or unlock a root and normal user account using pam_tally2 and pam_faillock after certain number of failed login attempts in Linux
