version
Log In
Sign Up

Securing SSH Access with Faillock

shape
shape
shape
shape
shape
shape
shape
shape
faillock lock accounts

Faillock is a security module within the PAM (Pluggable Authentication Modules) framework used in Linux systems. The pam_faillock.so module tracks failed login attempts from individual users over a defined time interval. If the number of failed attempts exceeds a configured threshold, the module automatically locks the user’s account for a specified duration.

This mechanism helps to protect Linux systems against brute-force attacks by temporarily blocking access for the user accounts under repeated login failures, thereby reducing the risk of unauthorized access.

This article focuses on configuring pam_faillock to enhance SSH security by protecting ssh access through account lockouts after repeated failed login attempts, across a broad range of Linux distributions such as Ubuntu (18.04 to 24.04), Debian (10โ€“12), and RHEL-based systems including CentOS, AlmaLinux (8โ€“9), and Rocky Linux (8โ€“9).

Note: These configurations are made at the operating system level. It is strongly recommended to create a system snapshot and back up all relevant configuration files before making any changes.

How to configure faillock on Ubuntu and Debian based operating System?

Step 1. Backup the /etc/pam.d/common-auth and /etc/pam.d/common-account configuration files

				
					root@server:~# cp /etc/pam.d/common-auth /etc/pam.d/common-auth.backup
root@server:~# cp /etc/pam.d/common-account /etc/pam.d/common-account.backup

Step 2: The faillock utility is typically pre-installed on most Linux distributions. To make sure it’s available, run this command:

				
					root@server:~# which faillock
             /usr/sbin/faillock

Step 3: Open the faillock configuration file, uncomment the following directives, and customize the settings to match your security requirements.

				
					root@server:~# vim /etc/security/faillock.conf

  deny = 5                     # Lock account after 5 failed attempts
  unlock_time = 900            # Unlock after 15 minutes
  fail_interval = 900          # Count failures in a 15-minute window

Step 4: Edit the PAM configuration file to integrate faillock by adding the following lines. Ensure they are placed in the correct order to avoid accidental user lockouts.

				
					root@server:~# vim /etc/pam.d/common-auth

   auth required pam_faillock.so preauth            #add this line
   auth    [success=1 default=ignore]      pam_unix.so nullok
   auth [default=die] pam_faillock.so authfail      #add this line
   auth sufficient pam_faillock.so authsucc         #add this line

				
			
				
					root@server:~# vim /etc/pam.d/common-account

              account required pam_faillock.so      #add this line

Step 5: Ensure that PAM is enabled in the SSH configuration by setting the following directive in the sshd_config file, then restart the SSH service to apply the changes.

				
					root@server:~# nano /etc/ssh/sshd_config
               UsePAM yes

Once configured, any non-root user will be locked out following 5 consecutive incorrect password attempts, and their accounts will be automatically unlocked after 15 minutes (900 seconds).

How to configure faillock on RHEL-Based Distributions: CentOS, Rocky Linux (8-9), and AlmaLinux (8-9)?

Step 1. Backup the /etc/pam.d/system-auth and /etc/pam.d/password-auth configuration files

				
					root@server:~# cp /etc/pam.d/system-auth /etc/pam.d/system-auth.backup
root@server:~# cp /etc/pam.d/password-auth /etc/pam.d/password-auth.backup

Step 2: The faillock utility is typically pre-installed on most Linux distributions. To make sure it’s available, run this command:

				
					root@server:~# which faillock
                /usr/sbin/faillock

Step 3: Edit the PAM configuration file to integrate faillock by adding the following lines. Ensure they are placed in the correct order to avoid accidental user lockouts.

				
					root@server:~# vim /etc/security/faillock.conf

deny = 5                     # Lock account after 5 failed attempts
unlock_time = 900            # Unlock after 15 minutes
fail_interval = 900          # Count failures in a 15-minute window

Step 4: Run the commands below to enable faillock in the PAM configuration automatically.

				
					root@server:~# authselect select minimal with-faillock --force
root@server:~# authselect current

Step 5: Ensure that PAM is enabled in the SSH configuration by setting the following directive in the sshd_config file, then restart the SSH service to apply the changes.

				
					root@server:~# nano /etc/ssh/sshd_config
               UsePAM yes

Once configured, any non-root user will be locked out following 5 consecutive incorrect password attempts, and their accounts will be automatically unlocked after 15 minutes (900 seconds).

How to list all user accounts currently locked out by faillock?

Execute the following command to check which user accounts have been locked due to failed login attempts.

				
					root@server:~# faillock --user yourusername      #view specific user
or
root@server:~# faillock                          #view all users
How to unlock a user account manually before the automatic timeout?

To manually unlock a user account that has been locked by faillock before the automatic timeout, use the following command:

				
					root@server:~# faillock --user yourusername --reset

Leave a Reply

Your email address will not be published. Required fields are marked *