The security of your servers probably keeps you up at night. Because of this, you go to great lengths to maximize the security of those machines. Sometimes you pull late nights doing massive hardening of the servers, while sometimes it’s an hour or so researching and applying the latest best practice. However, there are times when we overlook the simple things, which can go a long way to protecting our servers. One such simple possibility is configuring the login mechanism so that it will lock a user out after a set number of failed login attempts.

This can make the difference between an attacker successfully attempting a brute force login, and being prevented from gaining access to your server and its precious data. But how do you set this up? Let me show you.

SEE: Information security policy template download (Tech Pro Research)

What you need

All you need for this is a working CentOS 7 instance and a user with sudo privileges.

Backing up

The first thing to do is back up the necessary configuration files. Should something go awry, you always want to have a working copy. Do this with the commands:

sudo cp /etc/pam.d/password-auth ~/
sudo cp /etc/pam.d/system-auth ~/

The configuration

First, add the following lines to both files:

auth required deny=3 even_deny_root onerr=fail unlock_time=1200
account required

The above line will configure the login security mechanisms to lock a user out for 20 minutes (1,200 seconds) after three failed log in attempts, as well as enable the pam_tally2 module.

To configure this, issue the command:

sudo nano /etc/pam.d/password-auth

In that file, add the first line at the top of the auth section, exactly as shown in Figure A.

Figure A

Next, scroll down to the account section and add the second line at the bottom of that section (see Figure A).

Save and close the file.

Next, issue the command:

sudo nano /etc/pam.d/system-auth

Paste the same lines in the same locations here (in both the auth and account sections). Save and close the file.

At this point, attempt to log in with a user, but fail the log in each time. After the third failed attempt, the user will be locked out for 20 minutes. You can view how many failed attempts a user had, by issuing the command:

sudo pam_tally2 --user=USERNAME

Where USERNAME is the name of the user to check. The results will not only indicate how many times the user has failed a log in, but the time of the latest failure (Figure B).

Figure B

Should you need to unlock a user (before the allotted 10 minutes expires), you can do so with the command:

sudo pam_tally2 --user=USERNAME --reset

Where USERNAME is the name of the user to unlock.

Lock it down

This is a simple way to lock down your CentOS 7 server. With the help of tally2, you can easily prevent unwanted users and attacks from gaining access to your servers. This should be considered a must-do for every CentOS 7 server in your data center.