Configure lockout rules for SSH login

This topic explains how you can configure lockout rules for failed login attempts to ASMS via SSH.

By default, after 6 failed attempts, a user trying to login to ASMS via SSH is locked out. The default duration for lockout is 120 seconds.

When a user is locked out and tries to log in, this message appears:

"Permission denied, please try again."

Tip: You can see SSH log information at /var/log/secure.

Configure failed attempts and unlock time

  1. Open the file /etc/pam.d/ssh

  2. Change the value of the following two parameters:

    • deny: (the number of failed login attempts after which the account is locked. Default 6)

    • unlock_time: (the time duration the account will be locked, in seconds. Default 120)

    For example:

    auth required pam_tally2.so deny=2 even_deny_root unlock_time=30

    In this example, the account is locked after two failed login attempts and remains locked for 30 seconds.

Note:

The failed SSH login attempts are logged as a syslog message. For example:

type=USER_AUTH msg=audit(1618303350.983:1185808): pid=8212 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=? acct="afa" exe="/usr/sbin/sshd" hostname=10.20.9.4 addr=10.20.9.4 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1618303352.815:1185809): pid=8212 uid=0 auid=4294967295 ses=4294967295 msg='op=password acct="afa" exe="/usr/sbin/sshd" hostname=? addr=10.20.9.4 terminal=ssh res=failed'

In this example, there was a failed attempt to login from 10.20.9.4 with user afa.

Back to top

See failed login attempts from different clients for a specific user

You can see failed login attempts from different clients for a specific user:

  1. Login as user root.

  2. Run the following:

    pam_tally2 --user=<user name>

    where <user name> is the name of the user account.

Back to top

Unlock an account

To reset the failed login attempts and unlock an account:

  1. Login as user root.

  2. Run the following:

    pam_tally2 --user=<user name> --reset

    where <user name> is the name of the user account.

Back to top