Skip to main content

Configure an Account Lockout Policy

Hands-On Lab

 

Photo of Bob Salmans

Bob Salmans

Training Architect

Length

00:30:00

Difficulty

Intermediate

In this lab, we will use the Pluggable Authentication Module (PAM) to create an account lockout policy. Account lockout policies are crucial in preventing brute force password attacks from being successful.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Configure an Account Lockout Policy

Introduction

In this lab, we will use the Pluggable Authentication Module (PAM) to create an account lockout policy. Account lockout policies are crucial in preventing brute force password attacks from being successful.

Solution

  1. Begin by logging in to the lab server using the credentials provided on the hands-on lab page:

    ssh cloud_user@PUBLIC_IP_ADDRESS
  2. Become the root user:

    sudo su -

Install PAM

  1. To install PAM, run the following command:

    sudo yum install -y pam-devel

Create an account lockout policy

  1. To set up an account lockout policy that will lock for 15 minutes after 3 consecutive failed logins and includes the root account in the policy, you'll need to add the following lines to both /etc/pam.d/password-auth and /etc/pam.d/system-auth:

  2. Edit the /etc/pam.d/password-auth file:

    vi /etc/pam.d/password-auth
  3. Add the following as the second uncommented line in the file:

    auth        required      pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=900
  4. Add the following as the fourth uncommented line in the file:

    auth        [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=900
  5. Next, add the following as the first line in the account section:

    account     required      pam_faillock.so 
  6. Save and close the /etc/pam.d/password-auth file.

  7. Edit the /etc/pam.d/system-auth file:

    vi /etc/pam.d/system-auth
  8. Add the following as the second uncommented line in the file:

    auth        required      pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=900
  9. Add the following as the fourth uncommented line in the file:

    auth        [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=900
  10. Next, add the following as the first line in the account section:

    account     required      pam_faillock.so 
  11. Save and close the /etc/pam.d/system-auth file.

Test the account lockout policy

  1. Open a new tab in your terminal application.

  2. Enter incorrect login credentials for cloud_user three times.

    ssh cloud_user@PUBLIC_IP_ADDRESS
  3. Run the command faillock on our first tab and you now see the recorded failed logins.

Conclusion

Congratulations — you've completed this hands-on lab!