How to: Configure Linux to track and log failed login attempt records

In Red Hat Enterprise Linux 6, faillog no longer exists. This is because Red Hat Enterprise Linux 6 makes pam_tally2 the default, which no longer uses faillog as pam_tally did.

By default, pam_tally2 module is already installed on the most of the Linux distributions and it is controlled by PAM package itself.

Note: I am using Red Hat Enterprise Linux Server release 5.6 (Tikanga).

[root@linux2 ~]# faillog -u splunk

[root@linux2 ~]# pam_tally2 -u splunk

Make a copy of system-auth-ac and add the following two lines highlighted in yellow under /etc/pam.d/system-auth-ac

Note: for faillog command, use pam_tally (red color) for pam_tally2 use pam_tally2 command given in yellow.

Location: /etc/pam.d/system-auth-ac

[root@linux2 pam.d]# cat system-auth-ac

#%PAM-1.0

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

auth        required      pam_env.so

auth        sufficient    pam_unix.so nullok try_first_pass

auth        requisite     pam_succeed_if.so uid >= 500 quiet

auth        required      pam_deny.so

auth        required      pam_tally2.so no_magic_root

auth        required      pam_tally.so no_magic_root      

account     required      pam_tally.so deny=3 no_magic_root lock_time=180

account     required      pam_tally2.so deny=3 no_magic_root lock_time=180

account     required      pam_unix.so

account     sufficient    pam_succeed_if.so uid < 500 quiet

account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3

password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok

password    required      pam_deny.so

session     optional      pam_keyinit.so revoke

session     required      pam_limits.so

session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session     required      pam_unix.so

[root@linux2 pam.d]#

Where,

deny=3 : Deny access if tally for this user exceeds 3 times.

lock_time=180 : Always deny for 180 seconds after failed attempt. There is also unlock_time=n option. It allow access after n seconds after failed attempt. If this option is used the user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts. Otherwise the account is locked until the lock is removed by a manual intervention of the system administrator.

magic_root : If the module is invoked by a user with uid=0 the counter is not incremented. The sys-admin should use this for user launched services, like su, otherwise this argument should be omitted.

no_magic_root : Avoid root account locking, if the module is invoked by a user with uid=0

Display all failed login attempts for user splunk

[root@linux2 ~]# pam_tally2 -u splunk

Login           Failures Latest failure     From

splunk              6    05/28/16 13:39:14  192.168.2.14

[root@linux2 ~]#

[root@linux2 ~]# faillog -u splunk

Login       Failures Maximum Latest                   On

splunk          6        0   05/28/16 13:39:14 -0400  192.168.2.1

[root@linux2 ~]#

Reset failed count

[root@linux2 ~]# pam_tally2 --user=splunk  --reset

[root@linux2 ~]# faillog –r splunk