password policy - liamlamth/blog GitHub Wiki

retry faillock

  • purpose: temporarily lock account after number of tries. when locked, the user is still able to try login but always get denied
  • reference: https://chhanz.github.io/linux/2021/07/16/authselect-use-faillock/
  • enable 
    [root@myserver ~]# authselect enable-feature with-faillock
[root@myserver ~]# authselect current
    Profile ID: sssd
    Enabled features:
    - with-faillock
[root@myserver ~]# vi /etc/security/faillock.conf
    dir = /var/run/faillock
    audit
    deny = 3
[root@myserver ~]# authselect apply-changes
    Changes were successfully applied.
  • checking 
    [root@myserver ~]# vi /var/log/secure
    Mar  7 11:32:31 shlx164 sshd[1892105]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.253.204  user=testuser1
    Mar  7 11:32:33 shlx164 sshd[1892105]: Failed password for testuser1 from 192.168.253.204 port 56222 ssh2
    Mar  7 11:32:39 shlx164 sshd[1892105]: Failed password for testuser1 from 192.168.253.204 port 56222 ssh2
    Mar  7 11:32:41 shlx164 sshd[1892105]: pam_faillock(sshd:auth): Consecutive login failures for user testuser1 account temporarily locked
[root@myserver ~]# faillock
    root:                                                                           
    When                Type  Source                                           Valid
    testuser1:                                                                      
    When                Type  Source                                           Valid
    2022-03-07 11:32:31 RHOST 192.168.253.204                                      V
    2022-03-07 11:32:36 RHOST 192.168.253.204                                      V
    2022-03-07 11:32:41 RHOST 192.168.253.204                                      V
⚠️ **GitHub.com Fallback** ⚠️