5.3.3.1.1 Ensure password failed attempts lockout is configured

Information

The deny=<n> option will deny access if the number of consecutive authentication failures for this user during the recent interval exceeds

.

Locking out user IDs after

n

unsuccessful consecutive login attempts mitigates brute force password attacks against your systems.

Solution

Create or edit the following line in /etc/security/faillock.conf setting the deny option to 5 or less:

deny = 5

Run the following command:

# grep -Pl -- 'bpam_faillock.soh+([^#
r]+h+)?denyb' /usr/share/pam-configs/*

Edit any returned files and remove the deny=<N> arguments from the pam_faillock.so line(s):

See Also

https://workbench.cisecurity.org/benchmarks/17074