pam_tally2 command is used to lock and unlock ssh failed logins in a Linux-like operating system. To implement a security feature like a user’s account must be locked after a number of failed login attempts. We can achieve this security via pam module called pam_tally2. This module can display user’s login attempts, set counts on an individual basis, unlock all user counts.

pam_tally2 comes in two parts: pam_tally2.so and pam_tally2. The former is the PAM module and the latter, a stand-alone program. pam_tally2 is an application which can be used to interrogate and manipulate the counter file.

In this article, we will discuss how to lock and unlock a user’s account after reaching a fixed number of failed ssh attempts in RHEL/CentOS 6.X. By default pam_tally2 module is already installed in Linux. To set the lock and unlock rules, edit the two files: /etc/pam.d/system-auth and /etc/pam.d/password-auth and add the below line at the starting of auth section in both the files.

auth        required      pam_tally2.so  file=/var/log/tallylog deny=3 even_deny_root unlock_time=120

And then add the below line in the account Section in both the files:

account     required      pam_tally2.so

Sample File of /etc/pam.d/system-auth:

system auth

Sample File of /etc/pam.d/password-auth

password auth

where,

file=/var/log/tallylog – Default log file whic keep login counts.
deny=3 – Deny access after 3 attempts and lock down user.
even_deny_root – Policy is also apply to root user.
unlock_time=1200 – Account will be locked till 20 Min after that it will be unlocked.

Now Try to Login into the Linux box with an incorrect password, you should get the error “Permission denied, please try again” error.

Now check user’s login attempts using pam_tally2 Command:

# pam_tally2 -u geek
Login   Failures   Latest failure       From
geek       3       06/14/14 02:01:25    192.168.1.8

Now reset or unlock user’s account’s using pam_tally2 command:

# pam_tally2 --user geek --reset
Login    Failures Latest failure       From
geek      4       06/14/14 02:20:42    192.168.1.8

Now Verify the login Attempt is reset or not:

# pam_tally2 --user geek 
Login           Failures Latest failure     From
geek            0