How to block ssh users after 3 failed login attempts using pam_tally2.so
1.Edit /etc/pam.d/sshd and the following parameters
auth required pam_tally2.so deny=3 onerr=fail unlock_time=300
The /etc/pam.d/sshd should look like this:
#%PAM-1.0
## pam_tally2.so block the account after 3 failed login attempts during 5 minutes
auth required pam_tally2.so deny=3 onerr=fail unlock_time=300
##
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
2. pam_tally2.so uses the file /var/log/tallylog as a counter for the failed logis, if you wish to check the counter you can use the command pam_tally2
[root@nuke]# pam_tally2
Login Failures Latest failure From
hacker 6 03/24/11 09:25:56 localhost.localdomain
hacker1 7 03/24/11 10:30:54 localhost.localdomain
3. If you wish to reset the counter for a user, before the 5 minutes ban
# pam_tally2 -r -u hacker1