Ubuntu how to faillog

I cam across an interesting command – faillog

With faillog you can lock a user’s account after x number of failed log in attempts.

HOWEVER – it is not so straight forward – see man pam_tally

In order to enable this option you need to edit a few of the pam configuration files located in /etc/pam.d

What makes this confusing, as with sudo, THE ORDER OF RULES IS CRITICAL.

So, we can not just add a few lines at the bottom of the file, we need to add them in order

In particular, using any editor, open /etc/pam.d/common-auth and add the line AT THE TOP OF THE FILE:

auth required pam_tally.so per_user magic_root onerr=fail

Use the silent option if you do not want pam_tally to give error messages.

auth required pam_tally.so per_user magic_root onerr=fail silent

You may set the number of failed log in attempts and lock out time by either adding additional options to the above line or using faillog

sudo faillog -m 3

To unlock an account use

faillog -u login_name -r

Or set a time with the fail log command, the -l option sets the lock time.

faillog -m 3 -l 3600

Using faillog with ssh

Now to use this with ssh we need to also edit both /etc/pam.d/sshd and /etc/ssh/sshd_config

First, using any editor, open /etc/pam.d/sshd

Look for the line “@include common-auth” , we need to add auth required pam_tally.so per_user onerr=fail

auth required pam_tally.so per_user onerr=fail
@include common-auth

By adding this line before include common-auth we over ride the “magic_root” setting in common-auth.

Once a user is logged in, we need the magic_root option so that failed sudo attempts do not lock us out of root access. But because sshd runs as root, we need to over ride this option in /etc/pam.d/sshd – clear as mud ?

If it does not make sense, read the man pages, open a shell, and log in as root (so you do not loose root access), and test these options, see what happens when as your admin user you try sudo -i and ssh localhost.

Next, using any editor, open /etc/ssh/sshd_config

Change the “ChallengeResponseAuthentication no” to yes (in Ubuntu UsePAM yes was default).

ChallengeResponseAuthentication yes
UsePAM yes

If the pam_tally module locks your account, you will still be able to log in with ssh keys.

So it may be a good idea to make sure you have a working set of ssh keys before you enable this option ;)

This entry was posted in Linux and tagged . Bookmark the permalink.

13 Responses to Ubuntu how to faillog

  1. Pingback: Tweets that mention Shadows of epiphany » Blog Archive » Ubuntu how to faillog -- Topsy.com

  2. Pingback: Bodhi.Zazen: Ubuntu how to faillog | TuxWire

  3. Pingback: Links 27/4/2010: NVIDIA 195.36.24 Linux Driver, KDE Desktops Made Avatar | Techrights

  4. Tudor Holton says:

    Thanks for the great tutorial!

    However, where you say “auth required tam_tally.so per_user onerr=fail” you mean “auth required pam_tally.so per_user onerr=fail” Note we’re dealing with ‘Pam_tally.so’ and not ‘Tam_tally.so’.


  5. Pingback: How will you implement account lockout policy in linux?

  6. Paul says:

    On your iptables primer page you have this statement:

    “mangle – Not used by most SOHO – alteration of quality of service bits in the TCP header.”

    The IP header (not the TCP sub-header) is where the QOS markings field is located.

  7. Charlie says:

    How do you undo the parameters set with:
    sudo faillog -m -3 -l 3600

    I have a conflict with this and PAM, now the 3 invalid attempts aren’t being recorded and no accounts are being locked.


  8. bodhi.zazen says:

    @Charlie try sudo -m 0

    You should consider posting your configuration (PAM) on askubuntu or the forums.

  9. Pingback: Ubuntu how to faillog | Tutorials from tor.eu

  10. Pingback: log files not reflecting the facts

  11. Pingback: Not able to log in due to editing /etc/pam.d/common-auth file!

  12. Pingback: Using faillog

  13. Pingback: Ubuntu:Limit User Login Attempts (Ubuntu 12.10, pam_tally.so, pam_tally2.so) – Ubuntu Linux Questions

Leave a Reply

Your email address will not be published. Required fields are marked *