The pam_faillock module was introduced to us in the Technical Notes for Red Hat Enterprise Linux 6.1. And somehow this flew under my radar until now.
BZ#644971
A new pam_faillock module was added to support temporary locking of user accounts in the event of multiple failed authentication
attempts. This new module improves functionality over the existing
pam_tally2 module, as it also allows temporary locking when the
authentication attempts are done over a screen saver.
The Security Guide explains to us how this module should be used in section 2.1.9.5, Account Locking.
Follow these steps to configure account locking:
To lock out any non-root user after three unsuccessful attempts and unlock that user after 10 minutes, add the following lines to the
auth section of the /etc/pam.d/system-auth
and /etc/pam.d/password-auth
files:
auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600
auth sufficient pam_unix.so nullok try_first_pass
auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600
Add the following line to the account section of both files specified in the previous step:
account required pam_faillock.so
I've intentionally stopped here because this will provide the functionality that most are looking for. If you wish to include the root user, read on at the link provided.