Hi All,
I prepared a Centos 6.8 Minimal server, as part of hardening i added PAM
rules under system-auth and password-auth to lock the user account for 30
minutes after 3 failed login attempts.
############system-auth###############
auth required pam_tally2.so deny=3 unlock_time=1800
auth required pam_env.so
auth sufficient pam_unix.so
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account required pam_tally2.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 typepassword
sufficient pam_unix.so sha512 shadow nullok use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
###################password-auth#########
auth required pam_tally2.so deny=3 unlock_time=1800
auth required pam_env.so
auth sufficient pam_unix.so
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account required pam_tally2.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 typepassword
sufficient pam_unix.so sha512 shadow nullok use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
#################################################################
Now, *after 3 failed attempts user locked successfully but after 30mins
when i tried with wrong password for first attempt it again got locked. It
should wait for 3 more attempts after unlock, but got locked after first
time,* after unlock. Anyway to correct the logic.
