Harden login security by automatically locking accounts after repeated authentication failures. 21.11.2025 | reading time: 2 min Brute force stops where policy enforces consequence; configure PAM to lock accounts after repeated failures and you remove easy wins for attackers, quickly and deterministically. A concrete example you can run Edit the PAM auth stack (example paths: /etc/pam.d/common-auth or /etc/pam.d/system-auth) and add these lines near the top to enforce a three-failure lockout for 15 minutes: ```auth required pam_faillock.so preauth silent deny=3 unlock_time=900 fail_interval=900 auth [default=die] pam_faillock.so authfail deny=3 unlock_time=900 fail_interval=900 account required pam_faillock.so``` Now try the `faillock` tool to inspect and reset a lock: ```# faillock --user testuser testuser: 3 failures since 2025-11-21 14:05:12; locked # faillock --reset --user testuser # faillock --user testuser no record``` Tune parameters that matter Decide how strict you want to be by adjusting `deny` for maximum failed attempts, `unlock_time` to control lock duration, and `fail_interval` to define the observation window; add `silent` to avoid noisy logs or remove it to increase visibility, and always test with a non-privileged account before rolling out to servers. Complementary defenses to consider Account lockout is one layer: combine it with connection controls and monitoring such as fail2ban for service-level throttling, SSH rate limits and public-key only logins to reduce password exposure, and auditd or syslog aggregation to correlate attempts and spot distributed attacks. Final step and next challenges Enable PAM lockouts on a few test machines, measure false positives, and iterate on values; then automate deployment with your configuration management so the policy scales, and keep learning to design layered Linux defenses and pass certifications like CompTIA Linux+ or LPIC-1 with focused study at bitsandbytes.academy. Join Bits & Bytes Academy First class LINUX exam preparation. security setup utilities
