version
Log In
Sign Up

Securing SSH Access with Faillock

shape
shape
shape
shape
shape
shape
shape
shape
faillock lock accounts

Faillock is a security module within the PAM (Pluggable Authentication Modules) framework used in Linux systems. The pam_faillock.so module tracks failed login attempts from individual users over a defined time interval. The module automatically locks the userโ€™s account when the number of failed attempts exceeds the configured threshold.

This mechanism helps to protect Linux systems against brute-force attacks by temporarily blocking access for the user accounts under repeated login failures, thereby reducing the risk of unauthorized access.

This article focuses on configuring pam_faillock to enhance SSH security by protecting ssh access through account lockouts after repeated failed login attempts, across a broad range of Linux distributions such as Ubuntu (18.04 to 24.04), Debian (10โ€“12), and RHEL-based systems including CentOS, AlmaLinux (8โ€“9), and Rocky Linux (8โ€“9).

Note: These configurations are made at the operating system level. We strongly recommend creating a system snapshot and backing up all relevant configuration files before making any changes.

How to configure faillock on Ubuntu and Debian based operating System?

Step 1. Backup the /etc/pam.d/common-auth and /etc/pam.d/common-account configuration files

				
					root@server:~# cp /etc/pam.d/common-auth /etc/pam.d/common-auth.backup
root@server:~# cp /etc/pam.d/common-account /etc/pam.d/common-account.backup

Step 2: Most Linux distributions come with the faillock utility pre-installed. To make sure it’s available, run this command:

				
					root@server:~# which faillock
             /usr/sbin/faillock

Step 3: Open the faillock configuration file, uncomment the following directives, and customize the settings to match your security requirements.

				
					root@server:~# vim /etc/security/faillock.conf

  deny = 5                     # Lock account after 5 failed attempts
  unlock_time = 900            # Unlock after 15 minutes
  fail_interval = 900          # Count failures in a 15-minute window

Step 4: Edit the PAM configuration file to integrate faillock by adding the following lines. Ensure they are placed in the correct order to avoid accidental user lockouts.

				
					root@server:~# vim /etc/pam.d/common-auth

   auth required pam_faillock.so preauth            #add this line
   auth    [success=1 default=ignore]      pam_unix.so nullok
   auth [default=die] pam_faillock.so authfail      #add this line
   auth sufficient pam_faillock.so authsucc         #add this line

				
			
				
					root@server:~# vim /etc/pam.d/common-account

              account required pam_faillock.so      #add this line

Step 5: You should enable PAM in the SSH configuration by setting the following directive in the sshd_config file, then restart the SSH service to apply the changes.

				
					root@server:~# nano /etc/ssh/sshd_config
               UsePAM yes

Once you configure it, the system locks out any non-root user after 5 consecutive incorrect password attempts andย the system automatically unlocks their accounts after 15 minutes (900 seconds).

How to configure faillock on RHEL-Based Distributions: CentOS, Rocky Linux (8-9), and AlmaLinux (8-9)?

Step 1. Backup the /etc/pam.d/system-auth and /etc/pam.d/password-auth configuration files

				
					root@server:~# cp /etc/pam.d/system-auth /etc/pam.d/system-auth.backup
root@server:~# cp /etc/pam.d/password-auth /etc/pam.d/password-auth.backup

Step 2: Most Linux distributions come with the faillock utility pre-installed. To make sure it’s available, run this command:

				
					root@server:~# which faillock
                /usr/sbin/faillock

Step 3: Edit the PAM configuration file to integrate faillock by adding the following lines. Ensure they are placed in the correct order to avoid accidental user lockouts.

				
					root@server:~# vim /etc/security/faillock.conf

deny = 5                     # Lock account after 5 failed attempts
unlock_time = 900            # Unlock after 15 minutes
fail_interval = 900          # Count failures in a 15-minute window

Step 4: Run the commands below to enable faillock in the PAM configuration automatically.

				
					root@server:~# authselect select minimal with-faillock --force
root@server:~# authselect current

Step 5: You should enable PAM in the SSH configuration by setting the following directive in the sshd_config file, then restart the SSH service to apply the changes.

				
					root@server:~# nano /etc/ssh/sshd_config
               UsePAM yes

Once you configure it, the system locks out any non-root user after 5 consecutive incorrect password attempts and the system automatically unlocks their accounts after 15 minutes (900 seconds).

How to list all user accounts currently locked out by faillock?

Execute the following command to check which user accounts have been locked due to failed login attempts.

				
					root@server:~# faillock --user yourusername      #view specific user
or
root@server:~# faillock                          #view all users
How to unlock a user account manually before the automatic timeout?

To manually unlock a user account that faillock locked before the automatic timeout, run the following command:

				
					root@server:~# faillock --user yourusername --reset

Leave a Reply

Your email address will not be published. Required fields are marked *