Strengthening Security: Implementing Account Lockout After Failed Password Attempts in Linux

In the world of cybersecurity, safeguarding user accounts from unauthorized access is paramount. One effective method to enhance account security is by implementing an account lockout policy after a specified number of failed password attempts. In this Medium blog post, we will explore how to configure account lockout in Linux, enabling you to fortify your system against brute-force attacks. By enforcing this policy, you ensure that after a certain number of unsuccessful login attempts, the account becomes temporarily locked, preventing malicious actors from gaining unauthorized access.

Prerequisites:

Before proceeding, ensure you have:

1. A Linux-based operating system.
2. Administrative access to the system.

Step 1: Installing the pam_tally2 Utility:

First, log in as the root user in the terminal or use the sudo command to execute commands with root privileges. Install the pam_tally2 utility if it’s not already installed:

# For Red Hat-based systems:
yum install pam

# For Debian-based systems:
sudo apt-get install libpam-modules

Step 2: Modifying PAM Configuration for Account Lockout:

To enable the account lockout functionality, we need to modify the system’s PAM configuration file. Open the /etc/pam.d/system-auth file in a text editor:3

sudo vi /etc/pam.d/system-auth

Locate the line that contains the auth rule for the pam_unix.so module and add the deny=3 parameter at the end:

auth required pam_unix.so sha512 shadow nodelay deny=3

This configuration specifies that the account will be denied access after three failed login attempts.

Save and exit the file.

Step 3: Configuring Account Lockout Duration:

Now, we need to modify the account section of the PAM configuration file to include the account lockout feature. Open the /etc/pam.d/password-auth file:

sudo vi /etc/pam.d/password-auth

Locate the line that contains the account rule for the pam_unix.so module and add the deny=3 unlock_time=300 parameters at the end:

account required pam_unix.so sha512 shadow deny=3 unlock_time=300

This configuration specifies that the account will be locked for 300 seconds (5 minutes) after three failed login attempts.

Save and exit the file.

By implementing an account lockout policy with the pam_tally2 module in Linux, you enhance the security of your user accounts significantly. This proactive approach acts as a powerful deterrent against brute-force attacks, safeguarding your system from unauthorized access. Embrace these security measures to fortify your Linux environment and protect your valuable data. Stay one step ahead in the realm of cybersecurity, ensuring your accounts remain safe and resilient in the face of potential threats. Happy securing and happy Linux administration!