Configuring the pam_tally2 PAM
To make this magic work, we'll rely on our good friend, the PAM. The pam_tally2 module comes already installed on both CentOS and Ubuntu, but it isn't configured. For both of our virtual machines, we'll be editing the /etc/pam.d/login file. Figuring out how to configure it is easy because there's an example at the bottom of the pam_tally2 man page:
EXAMPLES
Add the following line to /etc/pam.d/login to lock the account after
4 failed logins. Root account will be locked as well. The accounts will be
automatically unlocked after 20 minutes. The module does not have to be
called in the account phase because the login calls pam_setcred(3)
correctly.
auth required pam_securetty.so
auth required pam_tally2.so deny=4 even_deny_root
unlock_time=1200
auth required pam_env.so
auth required pam_unix.so
auth required pam_nologin.so
account required pam_unix.so
password required pam_unix.so
session required pam_limits.so
session required pam_unix.so
session required pam_lastlog.so nowtmp
session optional pam_mail.so standard
In the second line of the example, we see that pam_tally2 is set with the following:
- deny=4: This means that the user account under attack will get locked out after only four failed login attempts.
- even_deny_root: This means that even the root user account will get locked if it's under attack.
- unlock_time=1200: The account will get automatically unlocked after 1,200 seconds, or 20 minutes.
Now, if you look at the actual login file on either of your virtual machines, you'll see that they don't look exactly like this example login file that's in both of their man pages. That's okay, we'll still make it work.
Once you've configured the login file and have had a failed login, you'll see a new file created in the /var/log directory. You'll view information from that file with the pam_tally2 utility. You can also use pam_tally2 to manually unlock a locked account if you don't want to wait for the timeout period:
donnie@ubuntu-steemnode:~$ sudo pam_tally2
Login Failures Latest failure From
charlie 5 10/07/17 16:38:19
donnie@ubuntu-steemnode:~$ sudo pam_tally2 --user=charlie --reset
Login Failures Latest failure From
charlie 5 10/07/17 16:38:19
donnie@ubuntu-steemnode:~$ sudo pam_tally2
donnie@ubuntu-steemnode:~$
Note that, after I did the reset on Charlie's account, I received no output from doing another query.