faillog example usage and output notblog@infinity:~$ faillog -u root Login Failures Maximum Latest On root 13 0 02/25/13 10:17:11 +0000 /dev/pts/0 1 2 3 4 5 6 7 notblog@infinity:~$ faillog -u root Login Failures Maximum Latest On root 13 0 02/25/13 10:17:11 +0000 /dev/pts/0

Login : Attempted login user

Failures : Failed login attempts

: Failed login attempts Maximum : Allowed login failures before disabling the account

: Allowed login failures before disabling the account Latest : Date and time of last failed login

: Date and time of last failed login On: Where the failed login occurred

Step 1 – Enable pam_tally.so in /etc/pam.d/common-auth

Add the following lines to the top of the file:



# Log failed logins to /var/log/faillog auth required pam_tally.so per_user magic_root onerr=fail 1 2 # Log failed logins to /var/log/faillog

Example /etc/pam.d/common-auth # Log failed logins to /var/log/faillog auth required pam_tally.so per_user magic_root onerr=fail # here are the per-package modules (the "Primary" block) auth [success=1 default=ignore] pam_unix.so nullok_secure # here's the fallback if no module succeeds auth requisite pam_deny.so ... 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 # Log failed logins to /var/log/faillog auth required pam_tally.so per_user magic_root onerr=fail # here are the per-package modules (the "Primary" block) auth [success=1 default=ignore] pam_unix.so nullok_secure # here's the fallback if no module succeeds auth requisite pam_deny.so ...

Step 2 – Enable pam_tally.so in /etc/pam.d/sshd

Add the following lines immediately before @include common-auth:

# Log failed login attempts to /var/log/faillog auth required pam_tally.so per_user onerr=fail 1 2 3 # Log failed login attempts to /var/log/faillog auth required pam_tally.so per_user onerr=fail

Example /etc/pam.d/sshd # Read environment variables from /etc/environment and # /etc/security/pam_env.conf. auth required pam_env.so # [1] # In Debian 4.0 (etch), locale-related environment variables were moved to # /etc/default/locale, so read that as well. auth required pam_env.so envfile=/etc/default/locale # Log failed login attempts to /var/log/faillog auth required pam_tally.so per_user onerr=fail # Standard Un*x authentication. @include common-auth # Disallow non-root logins when /etc/nologin exists. account required pam_nologin.so ... 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 # Read environment variables from /etc/environment and # /etc/security/pam_env.conf. auth required pam_env.so # [1] # In Debian 4.0 (etch), locale-related environment variables were moved to # /etc/default/locale, so read that as well. auth required pam_env.so envfile=/etc/default/locale # Log failed login attempts to /var/log/faillog auth required pam_tally.so per_user onerr=fail # Standard Un*x authentication. @include common-auth # Disallow non-root logins when /etc/nologin exists. account required pam_nologin.so ...

Step 3 – Enable PAM in /etc/ssh/sshd_config

/etc/ssh/sshd_config # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes

Step 4 – Restart ssh

notblog@infinity:~$ sudo service ssh restart ssh stop/waiting ssh start/running, process 11717 1 2 3 4 5 notblog@infinity:~$ sudo service ssh restart ssh stop/waiting ssh start/running, process 11717