Configure lockout rules for SSH login
This topic explains how you can configure lockout rules for failed login attempts to ASMS via SSH.
By default, after 6 failed attempts, a user trying to login to ASMS via SSH is locked out. The default duration for lockout is 120 seconds.
When a user is locked out and tries to log in, this message appears:
"Permission denied, please try again."
Tip: You can see SSH log information at /var/log/secure.
Configure failed attempts and unlock time
-
Open the file /etc/pam.d/ssh
-
Change the value of the following two parameters:
-
deny: (the number of failed login attempts after which the account is locked. Default 6)
-
unlock_time: (the time duration the account will be locked, in seconds. Default 120)
For example:
auth required pam_tally2.so deny=2 even_deny_root unlock_time=30
In this example, the account is locked after two failed login attempts and remains locked for 30 seconds.
-
Note:
The failed SSH login attempts are logged as a syslog message. For example:
type=USER_AUTH msg=audit(1618303350.983:1185808): pid=8212 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=? acct="afa" exe="/usr/sbin/sshd" hostname=10.20.9.4 addr=10.20.9.4 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1618303352.815:1185809): pid=8212 uid=0 auid=4294967295 ses=4294967295 msg='op=password acct="afa" exe="/usr/sbin/sshd" hostname=? addr=10.20.9.4 terminal=ssh res=failed'
In this example, there was a failed attempt to login from 10.20.9.4 with user afa.
See failed login attempts from different clients for a specific user
You can see failed login attempts from different clients for a specific user:
-
Login as user root.
-
Run the following:
pam_tally2 --user=<user name>
where <user name> is the name of the user account.
Unlock an account
To reset the failed login attempts and unlock an account:
-
Login as user root.
-
Run the following:
pam_tally2 --user=<user name> --reset
where <user name> is the name of the user account.
Yes 
No 
