Secure/Lock accounts with PAM tally2

pam_tally2 is a PAM module to allow interaction in users interface on numbers of failed login attempt it can can reset count on success, can deny access if too many attempts fail.

this module is unique because it  not just reflect remote connection but also reflect the ttys and any system login method as it use PAM

example from tty:


some parameters

  1. deny used to block access of numbers of failed attempts
  2. unlock_time used to to set a time duration for blocked access in seconds
  3. even_deny_root root is excluded by default, you set this parameter to tell tally2 count for root too
  4. root_unlock_time same as unlock_time but  for root only


example PAM config:


to reflect the tty access we have to configure our tally2 module in /etc/pam.d/system-auth


here is our final layout for system auth

to reflect the  remote connections  that use password example sshd

we config our /etc/pam.d/password-auth with tally


notice that we have done 2 things  one in auth interface that verify the account and 2nd one in the account interface to reflect the permissions of the account


here is the  some output of /var/log/secure


as you see tally2 kills the connection 🙂

for manual interaction with tally2 counter

there is a command called pam_tally2

to remove a counter failures



Leave a Reply

Your email address will not be published. Required fields are marked *