[Linux] Setting the Account Lockout Threshold with PAM faillock

πŸ“Œ Table of Contents
  1. Introduction
  2. Environment (Supported Versions)
  3. Backup Prerequisites
  4. Method 1: Using authselect
  5. Faillock Configuration
  6. Testing the Lockout
  7. Method 2: Manual PAM Edits
  8. Priority: faillock.conf vs PAM Files
  9. Conclusion & Tips

Introduction

When addressing Linux system security vulnerabilities, one essential safeguard is implementing account lockout after a certain number of failed login attempts. The pam_faillock.so module is designed for this purpose—allowing administrators to lock a user account once login failures exceed a defined deny threshold.

This module functions similarly to the older pam_tally2 but provides enhanced flexibility. Locking accounts effectively protects against brute-force attacks and unauthorized access attempts.


Environment (Supported Versions)

This guide shows how to configure account lockout in Linux using pam_faillock.so, particularly on RHEL 8 and newer. Whereas RHEL 7 and earlier relied on manual edits of system-auth and password-auth, modern systems encourage using authselect for safer and more maintainable configuration.


Supported environments

  • RHEL 8, RHEL 9
  • Required minimum package versions (for RHEL 8.2 and older, updates may be necessary):
    • authselect‑1.2.1‑2.el8 or newer
    • pam‑1.3.1‑8.el8 or newer

Backup Prerequisites

Always back up configuration files before modifying PAM settings. A minor typo can lead to login failures or worse.

[root@rhel8 ~]# cp /etc/pam.d/system-auth /etc/pam.d/system-auth_20231127
[root@rhel8 ~]# cp /etc/pam.d/password-auth /etc/pam.d/password-auth_20231127

Method 1: Using authselect

Step 1: Check your current profile

[root@rhel8 ~]# authselect current
Profile ID: sssd
Enabled features:
- with-fingerprint
- with-silent-lastlog

[root@rhel8 ~]# grep faillock /etc/pam.d/password-auth

Step 2: Enable with‑faillock

[root@rhel8 ~]# authselect enable-feature with-faillock
Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

If you encounter an integrity error, force the update

[root@rhel8 ~]# authselect select sssd with-faillock --force

Step 3: Verify the configuration

[root@rhel8 ~]# authselect current
Profile ID: sssd
Enabled features:
- with-fingerprint
- with-silent-lastlog
- with-faillock

[root@rhel8 ~]# grep faillock /etc/pam.d/password-auth

You'll notice the following lines added to the PAM files

auth        required pam_faillock.so preauth silent
auth        required pam_faillock.so authfail
account     required pam_faillock.so

Faillock Configuration

Settings for faillock are stored in /etc/security/faillock.conf. Example configuration

[root@rhel8 ~]# cat /etc/security/faillock.conf | grep -v ^#
deny = 3
unlock_time = 600
silent
  • deny=<N>: Locks the account after N failed attempts
  • unlock_time=<N>: Unlocks after N seconds
  • silent: Suppresses login failure messages


Testing the Lockout

To verify that the account lockout policy is working, you can simulate failed login attempts.

[hjun@rhel8 ~]$ su - testuser
Password:
su: Authentication failure
[hjun@rhel8 ~]$ su - testuser
Password:
su: Authentication failure
[hjun@rhel8 ~]$ ssh testuser@localhost

In this example, the user "testuser" fails two login attempts using su and once via SSH—totaling three failed authentications. Since the lockout threshold is set to deny = 3, any further login attempts will be blocked even if the correct password is used.

You can confirm that the account has been locked with the following command

[root@rhel8 ~]# faillock --user testuser
testuser:
When                Type  Source                                           Valid
2023-11-28 07:58:13 TTY   pts/1                                                V
2023-11-28 07:58:20 TTY   pts/1                                                V
2023-11-28 07:58:34 RHOST ::1                                                  V

At this point, even if you provide the correct password, the user will be denied access.

To restore access, reset the failure count

[root@rhel8 ~]# faillock --user testuser --reset
After resetting, the user will be able to log in again normally.

Method 2: Manual PAM Edits

If you choose not to use authselect, add the following manually into system-auth and password-auth

[root@rhel8 ~]# cat /etc/pam.d/system-auth
# Generated by authselect on Tue Nov 28 08:24:36 2023
# Do not modify this file manually.

auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        required                                     pam_faillock.so preauth silent audit deny=10 unlock_time=30      ## add line
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
auth        sufficient                                   pam_unix.so nullok
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
auth        sufficient                                   pam_sss.so forward_pass
auth        required                                     pam_faillock.so authfail audit deny=10 unlock_time=30           ## add line
auth        required                                     pam_deny.so

account     required                                     pam_faillock.so                                                 ## add line
account     required                                     pam_unix.so
account     sufficient                                   pam_localuser.so
account     sufficient                                   pam_usertype.so issystem
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required                                     pam_permit.so

password    requisite                                    pam_pwquality.so local_users_only
password    sufficient                                   pam_unix.so sha512 shadow nullok use_authtok
password    sufficient                                   pam_sss.so use_authtok
password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
-session    optional                                     pam_systemd.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so
session     optional                                     pam_sss.so
[root@rhel8 ~]# cat /etc/pam.d/password-auth
# Generated by authselect on Tue Nov 28 08:24:36 2023
# Do not modify this file manually.

auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        required                                     pam_faillock.so preauth silent audit deny=10 unlock_time=30   ## add line
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
auth        sufficient                                   pam_unix.so nullok
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
auth        sufficient                                   pam_sss.so forward_pass
auth        required                                     pam_faillock.so authfail  audit deny=10 unlock_time=30        ## add line
auth        required                                     pam_deny.so

account     required                                     pam_faillock.so                                               ## add line
account     required                                     pam_unix.so
account     sufficient                                   pam_localuser.so
account     sufficient                                   pam_usertype.so issystem
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required                                     pam_permit.so

password    requisite                                    pam_pwquality.so local_users_only
password    sufficient                                   pam_unix.so sha512 shadow nullok use_authtok
password    sufficient                                   pam_sss.so use_authtok
password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
-session    optional                                     pam_systemd.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so
session     optional                                     pam_sss.so

Priority: faillock.conf vs PAM Files

In Linux, account lockout settings can be configured either in the /etc/security/faillock.conf file or directly within PAM configuration files like /etc/pam.d/system-auth or password-auth. However, these configurations do not have the same level of precedence.

When both are present and contain different values, the settings in the PAM configuration files will take priority over those defined in faillock.conf.

Example scenario

faillock.conf
/etc/security/faillock.conf:
deny = 3
unlock_time = 600
password-auth or system-auth
/etc/pam.d/password-auth (or system-auth):
pam_faillock.so ... deny=10 unlock_time=30
In this configuration, even if faillock.conf sets the lockout threshold to 3, the actual behavior will follow the PAM file's deny = 10. For instance, if a user enters the wrong password six times and succeeds on the seventh attempt, the login will still succeed—demonstrating that the PAM file overrides the faillock.conf setting.

Summary

To ensure the lockout policy works as intended, always check and configure the PAM files directly. The faillock.conf file alone is not sufficient if conflicting rules exist in the PAM stack.


Conclusion & Tips

In this comprehensive guide, we've walked through both recommended (via authselect) and manual methods for enforcing account lockout using pam_faillock on modern RHEL environments. We've ensured to retain every part of the original source and adapted it to avoid duplication in a migrated blog setting.

Best practices to remember:

  • Always back up before modifying PAM configurations.
  • Prefer authselect when supported—but don't neglect systems finalized via manual edits.
  • Use faillock wisely to balance security with availability—avoid accidental lockouts.

Comments

Post a Comment

Popular posts from this blog

NIC Ring Buffer Tuning: Packet Drops, Backlog, and Performance Considerations

πŸ“Œ Table of Contents Introduction to NIC Ring Buffer Issues Understanding NIC Ring Buffer Checking Packet Drops Increasing Ring Buffer What Happens After Ring Buffer Network Budget Backlog Queue Introduction to NIC Ring Buffer Issues A company had a server that had been receiving real-time data at 100 Mbps without any major issues. However, when the incoming data rate was increased to 1 Gbps , service instability began to appear. Among several load-balanced servers, a few started falling out of sync and were excluded from the service pool. Since the system was designed with redundancy, the failure of one or two servers didn’t cause a complete outage—the remaining servers could still handle the traffic. Nevertheless, leaving this issue unresolved posed a risk of escalating into a full-scale service disruption. This prompted a detailed investigation. The root cause was identified fairly quickly. The network team had observed packet drop...
Read more