Oracle Linux 8/RHEL8: Lock User After Failed Login Attempts with Faillock

Many security audits and checklists like the ones supplied by CIS or DISA STIG require locking user accounts after a number of unsuccessful login attempts. In Linux, this is usually achieved by using faillock / pam_faillock.so.

Using PAM

PAM (Pluggable Authentication Modules) is the flexible framework in modern Linux to customize the authentication and login process flexibly. This is why faillock is attached there and was written as a library module for PAM.

password-auth and/or system-auth

Depending on which login sources you want to lock, make your password-auth and / or the system-auth file look like this. Notice that the order is important, see the comments!

# Loading the PAM environment
auth        required      pam_env.so
# Faillock checks if there are too many failed attempts, but does not tell, just fails.
# This leads to aborting the authentication process.
auth        required      pam_faillock.so preauth silent audit 
# The regular Unix passwd/shadow login
auth        sufficient    pam_unix.so try_first_pass
# Faillock counts the failed attempt (pam_unix failed)
auth        [default=die] pam_faillock.so authfail audit
# Bottom of the queue: Deny login
auth        required      pam_deny.so

# Unix account check
account     required      pam_unix.so
# Faillock check for account fail count
account     required      pam_faillock.so
<...>

/etc/security/faillock.conf

This is where you configure how many attempts are allowed, how long users get locked, and many other parameters. OL8 and RHEL8 have many example comments in the default file.

deny = 5
unlock_time = 900

Activate by Service Restart

To “activate” the changes, all services/daemons using the PAM auth, need a restart after changing the “auth” section, for example sshd:

# systemctl restart sshd

Checks and Operating

faillock Tool

Check how often the user tried to log in unsuccessfully:

# faillock --user usn
usn:
When                Type  Source                                           Valid
2024-06-12 12:33:14 RHOST 10.1.2.3                                         V
2024-06-12 12:33:22 RHOST 10.1.2.3                                         V
2024-06-12 12:33:37 RHOST 10.1.2.3                                         V
2024-06-12 12:33:54 RHOST 10.1.2.3                                         V
2024-06-12 12:34:04 RHOST 10.1.2.3                                         V

Reset failed login attempts:

# faillock --user usn --reset

Log File /var/log/secure

As Linux is Linux, we can watch it doing things in a log file. In this case, the “secure” log shows us successful and unsuccessful login attempts, logons, logoffs etc. Faillock also logs there if it decided to lock the account.

tail -1000f /var/log/secure
<...>
Jun 12 12:33:57 myhost sshd[319654]: Failed password for usn from 10.1.2.3 port 64059 ssh2
Jun 12 12:34:04 myhost sshd[319654]: pam_faillock(sshd:auth): Consecutive login failures for user usn account temporarily locked
<...>