Lock account after 3 failed attempts.

Latest response

Hi All -

Please help me in configure accout lockout after 3 failed login attempts in RHEL6.5. Below the current configuration of my system. However the account is not getting locked out even after several failed logins.

[root@system1 log]# cat /etc/pam.d/password-auth
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_tally2.so deny=3 onerr=fail unlock_time=1200
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_tally2.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type= reject_username minlen=8 ucredit=-1 dcredit=-1 ocredit=-1 lcredit=-1
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
[root@stlsvrhl001 log]#


Use of the pam_tally2 module was the generally prescribed method for RHEL 5.4+. For RHEL 6, however, the current recommendations are to use pam_faillock.

The DISA STIGs include recommendations on how to configure pam_faillock appropriately

Fix Text:
Utilizing "pam_faillock.so", the "fail_interval" directive configures the system to lock out accounts after a number of incorrect logon attempts.

Add the following "fail_interval" directives to "pam_faillock.so" immediately below the "pam_unix.so" statement in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth":

auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900

auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900

Note that the DISA security guides for EL6 are currently broken in regards to deployment of pam_faillock. They lack the "preauth" stanza that actually prevents retries after session-termination. You need to add a line like:

auth required pam_faillock.so preauth silent audit deny=3 unlock_time=604800

Just before the pam_unix.so line.

The DISA STIGs for RHEL 6 is s poor resource. Consider the RHEL 6 Security Guide.

This will even work for Winbind Active Directory Accounts and local root login. Then put your name and STIG ID if it helps you remember for future changes.

Modified By Jordi Rubalcaba STIG ID: RHEL-06-000357

auth required pam_faillock.so preauth silent deny=3 even_deny_root unlock_time=604800 fail_interval=900 auth [default=die] pam_faillock.so authfail deny=3 even_deny_root unlock_time=604800 fail_interval=900

Modified By Jordi Rubalcaba STIG ID Modified By Jordi Rubalcaba STIG ID: RHEL-06-000357

account required pam_faillock.so