In this lab, we will use the Pluggable Authentication Module (PAM) to create an account lockout policy. Account lockout policies are crucial in preventing brute force password attacks from being successful.
*This course is not approved or sponsored by Red Hat.*
Learning Objectives
Successfully complete this lab by achieving the following learning objectives:
- Install PAM
To install PAM, run the following command:
sudo yum install -y pam-devel
- Create an Account Lockout Policy
To set up an account lockout policy that will lock for 15 minutes after 3 consecutive failed logins and includes the root account in the policy, you’ll need to add the following lines to both
/etc/pam.d/password-authand/etc/pam.d/system-auth:auth required pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=900 auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=900- The first line above should be the second uncommented line in the files
- The second line above should be the fourth uncommented line in the files.
Next, we need to add the following line as the first line in the
accountsection of thepassword-authandsystem-authfiles:account required pam_faillock.so
- Test the Account Lockout Policy
- Open a new shell to your host
- Enter incorrect login credentials for
cloud_user - Run the command
faillockand you now see the recorded failed logins
