How to Lock User Accounts After Login Failure

Few web hosting users are robotic enough to always type their usernames and passwords perfectly every time they try to log in, but repeated failed attempts to access an account could be evidence of a security problem. As a precaution, it is a good idea to have accounts locked after a number of failed login attempts.

On a Linux dedicated server, the “faillog” command will tell you how many failed login attempts a user has. Before you can use faillog, you need to tell PAM, the password manager for Linux, to count failed login attempts. To do this, edit the file /etc/pam.d/system-auth and enable the module:

auth required no_magic_root
account required deny=3 no_magic_root lock_time=180

With “deny=3”, the user’s account will be locked after 3 failed login attempts. The “lock_time” setting tells PAM how long to deny another login after a single failed attempt. The “no_magic_root” setting keeps it from locking the root user.

To display all failed login attempts, type:

faillog -a

To display failed logins for a particular user, type:

faillog -u username

To unlock a username after their maximum number of login attempts, type:

faillog -r -u username

To manually lock an account, use the “passwd” command:

passwd -l username

To unlock the account:

passwd -u username

With these security measures in place, you can greatly reduce the likelihood of attackers trying to gain access to your server by using password guessing. It also means, however, that particularly forgetful users may contact you when they accidentally lock themselves out due to failed login attempts. Therefore, be prepared to assist them quickly.