A system administrator needs to monitor any unusual activities on the system. An unauthorized user may try to access the system by trying out different passwords. A feature in Linux that can be used to monitor these failed login attempts is “faillog” utility.
The “faillog” command displays all failed login attempts by a user. If there are too many unsuccessful attempts, then the account can be disabled using “faillog”. This can be used to lock down the account for a few seconds after a user fails to login.
Faillog command syntax
These failures are stored in a file named “faillog” present in /var/log directory. The “faillog” command uses this file (/var/log/faillog) for displaying the failed logins. The “faillog” command entered on its own prints out any unsuccessful attempts by a user:
# faillog Login Failures Maximum Latest On student 1 0 06/28/12 15:27:27 +0530 tty1
After a failed login, the user can be locked for a specified time with -l option. To lock an account (say, student) for 1 minute (60 seconds), use the following:
# faillog -l 60 -u student
# faillog Login Failures Maximum Latest On student 2 0 06/28/12 15:28:32 +0530 tty1 [51s left]
As you can see, the remaining time since failed login is displayed in the last column. The -u option is used to specify a username (whose account needs to be locked). Further, a maximum limit on the number of login attempts can be set by -m option.
# faillog -m 0 -u student
This command will disable the 'student' account after 3 unsuccessful logins.
If you read carefully, “faillog” does not log the failures, it just displays them. The actual surveillance of such attempts is the responsibility of pam_tally.so module. Now, before going into the details of this module, let's have a quick overview of PAM.
Pluggable Authentication Modules (PAM)
As the name suggests, PAM performs all the authentication tasks in Linux. But these modules are 'pluggable' which means that it can be used with other applications. PAM is not a “program or utility” that provides authentication functions. It is a module which helps all the utilities that need authentication functions. For example, when we login to any terminal (the prompt that looks like: “localhost login: “) on Linux system, the utility that is running in background is 'login' utility. This utility uses PAM modules. Other utilities such as ssh(used for remote login), su(to switch users), at, cron (both used for scheduling tasks) etc. also use PAM modules for authentication.
So, let's return to our discussion about pam_tally.so module. This module counts the failed login attempts and stores them in /var/log/faillog file. If your system is not configured to use this module, “faillog” will not work. So, in order to configure the system to use this module, we need to edit /etc/pam.d/system-auth file. Add these 2 lines in the file:
auth required pam_tally.so account required pam_tally.so
My /etc/pam.d/system-auth file looks like this (you can see these lines surrounded by comments, in bold and italics):
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so ###---------Added by Raghu---------### auth required pam_tally.so ###--------------------------------### account required pam_unix.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so ###---------Added by Raghu---------### account required pam_tally.so ###--------------------------------### password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so
Thanks for reading and please provide your suggestion on the below comment section.