The silly bit I was missing was just where those lines should actually be placed inside /etc/pam.d/sshd. This works: auth required pam_sepermit.so auth required pam_tally2.so deny=3 onerr=fail << this line here auth include password-auth account required pam_nologin.so account required pam_tally2.so << this line here account include password-auth Then just run pam_tally2 to see failed logins, and pam_tally2 -u username -r to unlock the user account if it's locked out. -----Original Message----- From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Johan Booysen Sent: 12 January 2011 09:53 To: General Red Hat Linux discussion list Subject: RE: RHEL6 pam_tally2 lockouts Hi, I've tried those settings in /etc/pam.d/sshd, but get the same result: pam_tally2 does tally up failed logon attempts, but never locks out the offending user. FWIW I also tried adding those lines in the login and system-auth files. When these lines are in the login file, then it behaves exactly the same as above. When added to system-auth, pam_tally2 does not tally up failed logons at all. I must be missing something really silly somewhere... Thanks. -----Original Message----- From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Mr. Paul M. Whitney Sent: 12 January 2011 00:25 To: General Red Hat Linux discussion list Subject: Re: RHEL6 pam_tally2 lockouts Johan, I have these lines in my /etc/pam.d/sshd file: auth required pam_tally2.so deny=3 onerr=fail unlock_time=1800 account required pam_tally2.so per_user Cheers, Paul On Jan 11, 2011, at 8:11 AM, Johan Booysen wrote: > Paul - thanks very much for your reply. > > My understanding was that it should go into the /etc/pam.d/system-auth > file, but I've tried it in the /etc/pam.d/sshd file and it seems to work > in terms of logging failed logon attempts in /var/log/tallylog, e.g. > > Login Failures Latest failure > test 6 01/11/11 12:04:23 > > However, the account does not get locked out after the specified 3 > number of logon attempts mentioned on the following line: > auth required pam_tally2.so deny=3 onerr=fail > > The pam_tally2 man page mentions: > > deny=n Deny access if tally for this user exceeds n. > > Anyone have any idea why the account doesn't get locked? > > Regards, > > Johan > > -----Original Message----- > From: redhat-list-bounces@xxxxxxxxxx > [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Mr. Paul M. Whitney > Sent: 10 January 2011 17:50 > To: General Red Hat Linux discussion list > Subject: Re: RHEL6 pam_tally2 lockouts > > Have you tried putting the entries in /etc/pam.d/ssh instead of > system-auth? > > > Paul W. > > > On Jan 10, 2011, at 10:40, Johan Booysen <johan@xxxxxxxxxxxxxxxxxxxxx> > wrote: > >> I'm trying to set up a RHEL6 server for sftp access only. So far it >> works very well, but I can't seem to get pam_tally2 set up to lock > user >> accounts after so many unsuccessful login attempts. >> >> >> >> As far as I could find out, it should work if I add the following > lines >> to /etc/pam.d/system-auth: >> >> >> >> Last line in the auth section: >> >> auth required pam_tally2.so deny=3 onerr=fail >> >> >> >> Last line in the account section: >> >> account required pam_tally2.so >> >> >> >> According to the pam_tally2 man page this should log failed attempts > in >> /var/log/tallylog, but when I deliberately log in with nonsense >> usernames/password, I get absolutely nothing in the tallylog file. >> Hence running the pam_tally2 command with no options produces no >> results. >> >> >> >> /var/log/secure shows me entries such as: >> >> >> >> Jan 10 15:16:26 rhel6 sshd[1918]: Failed password for test from >> 192.x.x.x port 4467 ssh2 >> >> Jan 10 15:16:29 rhel6 sshd[1918]: Failed password for test from > 192.x.x. >> port 4467 ssh2 >> >> Jan 10 15:16:29 rhel6 sshd[1919]: Disconnecting: Too many > authentication >> failures for test >> >> Jan 10 15:16:29 rhel6 sshd[1918]: PAM 1 more authentication failure; >> logname= uid=0 euid=0 tty=ssh ruser= rhost=mc23.xxxxx.int user=test >> >> >> >> In /etc/ssh/sshd_config I've got >> >> >> >> UsePAM yes >> >> PasswordAuthentication yes >> >> ChallengeResponseAuthentication no >> >> >> >> I might be missing something silly here, so I'd really appreciate any >> advice on getting this to work on Red Hat Enterprise Linux 6. >> >> >> >> Thanks. >> >> -- >> redhat-list mailing list >> unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe >> https://www.redhat.com/mailman/listinfo/redhat-list > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
