Controlling login attempts with PAM (Pluggable Authentication Module)

It is generally a good and sensible practice to lock out a user after a number of failed login attempts, with some exceptions. You don't want to give an intruder unlimited attempts, but you don't want clumsy users pestering you all the time for login resets. And users who wish to play practical jokes locking out other users by trying to su to a different user's account, and failing on purpose.

On Debian, add this line to /etc/pam.d/common-auth:

auth required pam_tally.so onerr=fail no_magic_root

And this line to /etc/pam.d/common-account:

account required pam_tally.so onerr=fail deny=3 reset no_magic_root

On Red Hat, add the above two lines to /etc/pam.d/system-auth. This gives users three chances to log in, then locks them out if they fail. The no_magic_root option is very important -- this prevents the root user from being locked out. In this era of great bootable rescue disks like Knoppix, that's nowhere near the catastrophe it used to be.

When the offending user has sufficiently soothed your upset sensibilities, restore access this way:

# pam_tally --user doofusfred --reset=0
user doofusfred (1006) had 29

It even tattles on how many times the user tried to login.