In this tutorial, we will guide you through the process of setting up
pam_faillock on Ubuntu 20.04.4 LTS for SSH authentication. The
pam_faillock module is a PAM (Pluggable Authentication Modules) module that helps to lock user accounts after certain unsuccessful login attempts, enhancing the security of your system.
To set up
pam_faillock on Ubuntu 20.04.4 LTS for SSH authentication, you need to configure
pam_faillock by modifying the
/etc/security/faillock.conf file, modify the PAM configuration for SSH in the
/etc/pam.d/sshd file, create the tally directory at
/var/run/faillock, and restart the SSH service. You can use the
faillock command to view and manage failed login attempts.
What is pam_faillock?
PAM, or Pluggable Authentication Modules, is a flexible mechanism for authenticating users.
pam_faillock is a PAM module that allows you to lock out user accounts if a certain number of failed login attempts are made. This can be a very effective way to deter brute force attacks on your system.
Before we begin, ensure that you have:
- A system running Ubuntu 20.04.4 LTS
- Root or sudo access to the system
Step 1: Configuring pam_faillock
The first step is to configure
pam_faillock. The configuration file is located at
/etc/security/faillock.conf. Open the file in your preferred text editor. Here, we use
sudo nano /etc/security/faillock.conf
In this file, you can set several options. Here’s an example configuration:
dir = /var/run/faillock
deny = 3
fail_interval = 900
unlock_time = 120
Here’s what each option does:
dir: This is the directory where
pam_faillockwill store the tally files.
audit: This option enables audit logging.
silent: This option makes
pam_faillocknot report the user’s remaining attempts.
deny: This is the number of failed attempts that triggers
pam_faillockto lock the account.
fail_interval: This is the time period (in seconds) during which the failed attempts are counted.
unlock_time: This is the time period (in seconds) for which the account is locked.
Step 2: Modifying the PAM Configuration
Next, you need to modify the PAM configuration for the service you want to protect. For SSH, this is the
/etc/pam.d/sshd file. Open this file in your text editor:
sudo nano /etc/pam.d/sshd
Add the following lines to the file:
auth required pam_faillock.so preauth
auth [default=die] pam_faillock.so authfail
account required pam_faillock.so
These lines tell PAM to use
pam_faillock for authentication and account management.
Step 3: Creating the Tally Directory
The tally directory is where
pam_faillock stores the tally files that keep track of failed login attempts. By default, this is
/var/run/faillock. If this directory doesn’t exist, you need to create it:
sudo mkdir /var/run/faillock
sudo chmod 700 /var/run/faillock
sudo chown root:root /var/run/faillock
Step 4: Restarting the Service
Finally, you need to restart the SSH service for the changes to take effect:
sudo systemctl restart sshd
Checking the Status of pam_faillock
After setting up
pam_faillock, you can use the
faillock command to view and manage failed login attempts. For example, to view the faillock status for a user, use:
sudo faillock --user <username>
And to unlock a user’s account, use:
sudo faillock --user <username> --reset
In this tutorial, we’ve shown you how to set up
pam_faillock on Ubuntu 20.04.4 LTS for SSH authentication. This is a powerful tool for enhancing the security of your system by deterring brute force attacks. However, it’s also a complex tool with many options, so be sure to read the pam_faillock man page for more information.
PAM, or Pluggable Authentication Modules, is a flexible mechanism for authenticating users in Linux systems. It allows different authentication methods to be used, such as passwords, smart cards, biometrics, etc.
pam_faillock enhances system security by locking user accounts after a certain number of failed login attempts. This helps to deter brute force attacks, as the attacker will be locked out of the account for a specified period of time.
The configuration file for
pam_faillock is located at
To modify the PAM configuration for SSH, you need to edit the
/etc/pam.d/sshd file. Add the required lines mentioned in the tutorial to enable
pam_faillock for SSH authentication.
You can use the
faillock command to check the status of failed login attempts. For example, to view the faillock status for a specific user, use
sudo faillock --user <username>.