https://community.hpe.com/t5/operating-system-linux/linux-user-account/m-p/5753659#M53832 <P>Which version of RHEL? ("cat /etc/redhat-release" please)</P><P>&nbsp;</P><P>Depending on the version, the PAM module you'll need is either pam_tally.so or pam_tally2.so.</P><P>&nbsp;</P><P>You must add the tally module to both "auth" and "account" phases in the PAM configuration: the "auth" phase increments the user's login count and rejects the login if the count is too high, the "account" phase resets the counter when a login is successful.</P><P>&nbsp;</P><P>The ordering of PAM configuration entries is important and non-trivial. The RedHat Knowledge Base has several articles on configuring pam_tally:</P><P>&nbsp;</P><P>Recommended configuration with pam_tally2:</P><P><A target="_blank" href="https://access.redhat.com/knowledge/solutions/37687">https://access.redhat.com/knowledge/solutions/37687</A></P><P>&nbsp;</P><P>With some versions (using the older pam_tally) the count may be wrong when using SSH (my guess: an attempt to use SSH key authentication may count as one login attempt?):</P><P><A target="_blank" href="https://access.redhat.com/knowledge/solutions/67401">https://access.redhat.com/knowledge/solutions/67401</A></P><P>&nbsp;</P><P>When the number of failed logins causes the login to be rejected, the message in the system logs may not be obvious, as with sudo:</P><P><A target="_blank" href="https://access.redhat.com/knowledge/solutions/43006">https://access.redhat.com/knowledge/solutions/43006</A></P> Mon, 06 Aug 2012 14:38:24 GMT Matti_Kurkela 2012-08-06T14:38:24Z https://community.hpe.com/t5/operating-system-linux/linux-user-account/m-p/5753277#M53831 <P>hi friends,</P><P>Need help in locking an Linux user account after three failed logins. The server is RHEL, and i tried the PAM settings, but doesn't seem to work with RHEL. The Linux accounts are configured to login using ssh authentication.</P><P>If somebody can help me on this, I would really appreciate it.</P><P>Thanks.</P> Mon, 06 Aug 2012 10:12:44 GMT https://community.hpe.com/t5/operating-system-linux/linux-user-account/m-p/5753277#M53831 jitjose 2012-08-06T10:12:44Z https://community.hpe.com/t5/operating-system-linux/linux-user-account/m-p/5753659#M53832 <P>Which version of RHEL? ("cat /etc/redhat-release" please)</P><P>&nbsp;</P><P>Depending on the version, the PAM module you'll need is either pam_tally.so or pam_tally2.so.</P><P>&nbsp;</P><P>You must add the tally module to both "auth" and "account" phases in the PAM configuration: the "auth" phase increments the user's login count and rejects the login if the count is too high, the "account" phase resets the counter when a login is successful.</P><P>&nbsp;</P><P>The ordering of PAM configuration entries is important and non-trivial. The RedHat Knowledge Base has several articles on configuring pam_tally:</P><P>&nbsp;</P><P>Recommended configuration with pam_tally2:</P><P><A target="_blank" href="https://access.redhat.com/knowledge/solutions/37687">https://access.redhat.com/knowledge/solutions/37687</A></P><P>&nbsp;</P><P>With some versions (using the older pam_tally) the count may be wrong when using SSH (my guess: an attempt to use SSH key authentication may count as one login attempt?):</P><P><A target="_blank" href="https://access.redhat.com/knowledge/solutions/67401">https://access.redhat.com/knowledge/solutions/67401</A></P><P>&nbsp;</P><P>When the number of failed logins causes the login to be rejected, the message in the system logs may not be obvious, as with sudo:</P><P><A target="_blank" href="https://access.redhat.com/knowledge/solutions/43006">https://access.redhat.com/knowledge/solutions/43006</A></P> Mon, 06 Aug 2012 14:38:24 GMT https://community.hpe.com/t5/operating-system-linux/linux-user-account/m-p/5753659#M53832 Matti_Kurkela 2012-08-06T14:38:24Z