Setting Deny for Failed Password Attempts

This section describes the procedure to deny the user access for failed password attempts.

Run the following procedure for each and every server in the topology:

1. Log in as admusr on the server.

   login: admusr
   Password: <current admin user password>

2. Check out the file system-auth and password-auth:

   $ sudo rcstool co /etc/pam.d/system-auth
   $ sudo rcstool co /etc/pam.d/password-auth

3. Run the following commands:

   $ sudo sed -i --follow-symlinks "/^auth.*sufficient.*pam_unix.so.*/i auth        required      pam_faillock.so preauth silent deny=5 unlock_time=604800 fail_interval=900" /etc/pam.d/system-auth
   
   $ sudo sed -i --follow-symlinks "/^auth.*sufficient.*pam_unix.so.*/a auth        [default=die] pam_faillock.so authfail deny=5 unlock_time=604800 fail_interval=900" /etc/pam.d/system-auth 
   
   $ sudo sed -i --follow-symlinks "/^account.*required.*pam_unix.so/i account     required      pam_faillock.so" /etc/pam.d/system-auth
   
   $ sudo sed -i --follow-symlinks "/^auth.*sufficient.*pam_unix.so.*/i auth        required      pam_faillock.so preauth silent deny=5 unlock_time=604800 fail_interval=900" /etc/pam.d/password-auth
   
   $ sudo sed -i --follow-symlinks "/^auth.*sufficient.*pam_unix.so.*/a auth        [default=die] pam_faillock.so authfail deny=5 unlock_time=604800 fail_interval=900" /etc/pam.d/password-auth 
   
   $ sudo sed -i --follow-symlinks "/^account.*required.*pam_unix.so/i account     required      pam_faillock.so" /etc/pam.d/password-auth

4. Check in the file system-auth and password-auth:

   $ sudo rcstool ci /etc/pam.d/system-auth
   $ sudo rcstool ci /etc/pam.d/password-auth