5.5.2 Ensure lockout for failed password attempts is configured

Information

Lock out users after

n

unsuccessful consecutive login attempts.

- deny=<n> - Number of attempts before the account is locked
- unlock_time=<n> - Time in seconds before the account is unlocked

Note: The maximum configurable value for unlock_time is 604800

Locking out user IDs after

n

unsuccessful consecutive login attempts mitigates brute force password attacks against your systems.

Solution

Set password lockouts and unlock times to conform to site policy. deny should be not greater than 5 and unlock_time should be 0 (never), or 900 seconds or greater.

Depending on the version you are running, follow one of the two methods bellow.

Versions 8.2 and later:

Edit /etc/security/faillock.conf and update or add the following lines:

deny = 5
unlock_time = 900

Versions 8.0 and 8.1:

Run the following script to update the system-auth and password-auth files. This script will update/add the deny=5 and unlock_time=900 options.

This script should be modified as needed to follow local site policy.

#!/usr/bin/env bash

for fn in system-auth password-auth; do
file="/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$fn"
if grep -Pq -- '^h*authh+requiredh+pam_faillock.so(h+[^#
r]+)?h+deny=(0|[6-9]|[1-9][0-9]+)b.*$' "$file"; then
sed -ri '/pam_faillock.so/s/deny=S+/deny=5/g' "$file"
elif ! grep -Pq -- '^h*authh+requiredh+pam_faillock.so(h+[^#
r]+)?h+deny=d*b.*$' "$file"; then
sed -r 's/^s*(auths+requireds+pam_faillock.sos+)([^{}#
r]+)?s*({.*})?(.*)$/123 deny=5 4/' $file
fi
if grep -P -- '^h*(authh+requiredh+pam_faillock.soh+)([^#
r]+)?h+unlock_time=([1-9]|[1-9][0-9]|[1-8][0-9][0-9])b.*$' "$file"; then
sed -ri '/pam_faillock.so/s/unlock_time=S+/unlock_time=900/g' "$file"
elif ! grep -Pq -- '^h*authh+requiredh+pam_faillock.so(h+[^#
r]+)?h+unlock_time=d*b.*$' "$file"; then
sed -ri 's/^s*(auths+requireds+pam_faillock.sos+)([^{}#
r]+)?s*({.*})?(.*)$/123 unlock_time=900 4/' "$file"
fi
done
authselect apply-changes

See Also

https://workbench.cisecurity.org/files/3796