Lockout for failed password attempts - password-auth 'auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900'

Information

Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems.

Solution

Set password lockouts to conform to site policy. Many distributions provide tools for updating PAM configuration, consult your documentation for details. If no tooling is provided edit the appropriate /etc/pam.d/ configuration file and add or modify the pam_tally2.so or pam_faillock.so lines as appropriate:

auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900

auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900
auth sufficient pam_unix.so
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900
auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900

Notes:
Consult your documentation for the appropriate PAM file and module.
Additional module options may be set, recommendation only covers those listed here.
If a user has been locked out because they have reached the maximum consecutive failure count defined by deny= in the pam_tally2.so or pam_faillock.so module, the user can be unlocked by issuing the command pam_tally2 -u <username> --reset or faillock -u --reset respectively. This command sets the failed count to 0, effectively unlocking the user.
Use of the "audit"keyword may log credentials in the case of user error during authentication. This risk should be evaluated in the context of the site policies of your organization.

See Also

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623.html