Frequent Advisor
Re: root login
[ Edited ]

Since there is no way for the probe to distinguish between a failed login attempt and a login that is locked out, from a business perspective I think it's a practical approach to use a cron job to periodically unlock accounts that have been locked out. I use userdbget -i -a "auth_failures"' to detect accounts that are past the range set by AUTH_MAXTRIES, then userdbset -d -u {account} auth_failures to clear it. After doing so I post a log entry.