Software & AppsOperating SystemLinux

How To Set Up pam_faillock on Ubuntu 20.04.4 LTS for SSH Authentication

Ubuntu 14

In this tutorial, we will guide you through the process of setting up pam_faillock on Ubuntu 20.04.4 LTS for SSH authentication. The pam_faillock module is a PAM (Pluggable Authentication Modules) module that helps to lock user accounts after certain unsuccessful login attempts, enhancing the security of your system.

Quick Answer

To set up pam_faillock on Ubuntu 20.04.4 LTS for SSH authentication, you need to configure pam_faillock by modifying the /etc/security/faillock.conf file, modify the PAM configuration for SSH in the /etc/pam.d/sshd file, create the tally directory at /var/run/faillock, and restart the SSH service. You can use the faillock command to view and manage failed login attempts.

What is pam_faillock?

PAM, or Pluggable Authentication Modules, is a flexible mechanism for authenticating users. pam_faillock is a PAM module that allows you to lock out user accounts if a certain number of failed login attempts are made. This can be a very effective way to deter brute force attacks on your system.

Prerequisites

Before we begin, ensure that you have:

  • A system running Ubuntu 20.04.4 LTS
  • Root or sudo access to the system

Step 1: Configuring pam_faillock

The first step is to configure pam_faillock. The configuration file is located at /etc/security/faillock.conf. Open the file in your preferred text editor. Here, we use nano:

sudo nano /etc/security/faillock.conf

In this file, you can set several options. Here’s an example configuration:

dir = /var/run/faillock
audit
silent
deny = 3
fail_interval = 900
unlock_time = 120

Here’s what each option does:

  • dir: This is the directory where pam_faillock will store the tally files.
  • audit: This option enables audit logging.
  • silent: This option makes pam_faillock not report the user’s remaining attempts.
  • deny: This is the number of failed attempts that triggers pam_faillock to lock the account.
  • fail_interval: This is the time period (in seconds) during which the failed attempts are counted.
  • unlock_time: This is the time period (in seconds) for which the account is locked.

Step 2: Modifying the PAM Configuration

Next, you need to modify the PAM configuration for the service you want to protect. For SSH, this is the /etc/pam.d/sshd file. Open this file in your text editor:

sudo nano /etc/pam.d/sshd

Add the following lines to the file:

auth required pam_faillock.so preauth
auth [default=die] pam_faillock.so authfail
account required pam_faillock.so

These lines tell PAM to use pam_faillock for authentication and account management.

Step 3: Creating the Tally Directory

The tally directory is where pam_faillock stores the tally files that keep track of failed login attempts. By default, this is /var/run/faillock. If this directory doesn’t exist, you need to create it:

sudo mkdir /var/run/faillock
sudo chmod 700 /var/run/faillock
sudo chown root:root /var/run/faillock

Step 4: Restarting the Service

Finally, you need to restart the SSH service for the changes to take effect:

sudo systemctl restart sshd

Checking the Status of pam_faillock

After setting up pam_faillock, you can use the faillock command to view and manage failed login attempts. For example, to view the faillock status for a user, use:

sudo faillock --user <username>

And to unlock a user’s account, use:

sudo faillock --user <username> --reset

Conclusion

In this tutorial, we’ve shown you how to set up pam_faillock on Ubuntu 20.04.4 LTS for SSH authentication. This is a powerful tool for enhancing the security of your system by deterring brute force attacks. However, it’s also a complex tool with many options, so be sure to read the pam_faillock man page for more information.

What is PAM (Pluggable Authentication Modules)?

PAM, or Pluggable Authentication Modules, is a flexible mechanism for authenticating users in Linux systems. It allows different authentication methods to be used, such as passwords, smart cards, biometrics, etc.

How does `pam_faillock` enhance system security?

pam_faillock enhances system security by locking user accounts after a certain number of failed login attempts. This helps to deter brute force attacks, as the attacker will be locked out of the account for a specified period of time.

Where is the configuration file for `pam_faillock` located?

The configuration file for pam_faillock is located at /etc/security/faillock.conf.

How do I modify the PAM configuration for SSH?

To modify the PAM configuration for SSH, you need to edit the /etc/pam.d/sshd file. Add the required lines mentioned in the tutorial to enable pam_faillock for SSH authentication.

How can I check the status of failed login attempts with `pam_faillock`?

You can use the faillock command to check the status of failed login attempts. For example, to view the faillock status for a specific user, use sudo faillock --user <username>.

Leave a Comment

Your email address will not be published. Required fields are marked *