faillock clear authentication failure to fix Linux login failed issue

Symptoms:
Login Linux with oracle account failed, whereas the password is correct

Debug:
root@linuxvm01:/root % tail -f /var/log/secure
Oct 2 07:33:03 linuxvm01 adminsrvr[49581]: 2019-10-02T07:33:03.342+0000 INFO | ‘oggadmin’ IS authorized for ‘user’ role by HTTP.
Oct 2 07:33:14 linuxvm01 unix_chkpwd[18549]: password check failed for user (oracle)
Oct 2 07:33:14 linuxvm01 sshd[18493]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.16.158.249 user=oracle
Oct 2 07:33:14 linuxvm01 sshd[18493]: pam_faillock(sshd:auth): Consecutive login failures for user oracle account temporarily locked
Oct 2 07:33:16 linuxvm01 sshd[18493]: Failed password for oracle from 10.16.158.249 port 54864 ssh2
Oct 2 07:33:32 linuxvm01 sshd[18493]: Connection closed by 10.16.158.249 port 54864 [preauth]

Oct 2 07:43:20 linuxvm01 passwd: pam_unix(passwd:chauthtok): password changed for oracle
Oct 2 07:43:22 linuxvm01 su: pam_unix(su-l:session): session closed for user root
Oct 2 07:43:22 linuxvm01 sudo: pam_unix(sudo:session): session closed for user root
Oct 2 07:43:23 linuxvm01 sudo: sha340 : TTY=pts/2 ; PWD=/home/sha340 ; USER=root ; COMMAND=/usr/bin/su – root
Oct 2 07:43:23 linuxvm01 sudo: pam_unix(sudo:session): session opened for user root by sha340(uid=0)
Oct 2 07:43:23 linuxvm01 su: pam_unix(su-l:session): session opened for user root by sha340(uid=0)
Oct 2 07:43:25 linuxvm01 su: pam_unix(su-l:session): session closed for user root
Oct 2 07:43:25 linuxvm01 sudo: pam_unix(sudo:session): session closed for user root
Oct 2 07:44:01 linuxvm01 crond[27883]: pam_succeed_if(crond:account): requirement “uid = 0” not met by user “oracle”

Oct 2 07:51:13 linuxvm01 sshd[33879]: Failed password for oracle from 10.22.101.32 port 52935 ssh2
Oct 2 07:51:13 linuxvm01 sshd[33879]: error: Received disconnect from 10.22.101.32 port 52935:13: Unable to authenticate [preauth]
Oct 2 07:51:13 linuxvm01 sshd[33879]: Disconnected from 10.22.101.32 port 52935 [preauth]
Oct 2 07:51:53 linuxvm01 sshd[34123]: Failed password for oracle from 10.22.101.32 port 52947 ssh2
Oct 2 07:51:53 linuxvm01 sshd[34123]: error: Received disconnect from 10.22.101.32 port 52947:13: Unable to authenticate [preauth]
Oct 2 07:51:53 linuxvm01 sshd[34123]: Disconnected from 10.22.101.32 port 52947 [preauth]
Oct 2 07:52:01 linuxvm01 crond[34199]: pam_succeed_if(crond:account): requirement “uid = 0” not met by user “oracle”

root@linuxvm01:/root % ls -l /var/run/faillock
total 16
-rw——-. 1 in00217h root 64 Sep 23 15:12 in00217h
-rw——-. 1 in01341s in01341s 64 Sep 29 06:09 in01341s
-rw——-. 1 itimagt itimagt 576 Sep 27 23:00 itimagt
-rw——-. 1 oracle root 320 Oct 2 07:33 oracle
root@linuxvm01:/root % faillock –user oracle
oracle:
When Type Source Valid
2019-10-02 07:31:11 RHOST 10.16.158.249 V
2019-10-02 07:31:36 RHOST 10.16.158.249 V
2019-10-02 07:31:47 RHOST 10.16.158.249 V
2019-10-02 07:32:36 RHOST 10.16.158.249 V
2019-10-02 07:33:14 RHOST 10.16.158.249 V

Solution:
# faillock –user aaronkilik –reset
OR
# fail –reset #clears all authentication failure records

root@linuxvm01:/root % faillock –user oracle reset
faillock: Unknown option: reset
Usage: faillock [–dir /path/to/tally-directory] [–user username] [–reset]
root@linuxvm01:/root % faillock –user oracle –reset
root@linuxvm01:/root % ls -l /var/run/faillock
total 12
-rw——-. 1 in00217h root 64 Sep 23 15:12 in00217h
-rw——-. 1 in01341s in01341s 64 Sep 29 06:09 in01341s
-rw——-. 1 itimagt itimagt 576 Sep 27 23:00 itimagt
-rw——-. 1 oracle root 0 Oct 2 08:21 oracle

root@linuxvm01:/root % tail -f /var/log/secure
Oct 2 08:22:03 linuxvm01 adminsrvr[49581]: 2019-10-02T08:22:03.854+0000 INFO | ‘oggadmin’ IS authorized for ‘user’ role by HTTP.
Oct 2 08:22:03 linuxvm01 adminsrvr[49581]: 2019-10-02T08:22:03.870+0000 INFO | ‘oggadmin’ IS authorized for ‘user’ role by HTTP.
Oct 2 08:22:03 linuxvm01 adminsrvr[49581]: 2019-10-02T08:22:03.884+0000 INFO | ‘oggadmin’ IS authorized for ‘user’ role by HTTP.
Oct 2 08:22:03 linuxvm01 adminsrvr[49581]: 2019-10-02T08:22:03.900+0000 INFO | ‘oggadmin’ IS authorized for ‘user’ role by HTTP.
Oct 2 08:22:10 linuxvm01 sshd[57870]: Address 10.16.158.249 maps to dkn5cg72527m2.crb.apmoller.net, but this does not map back to the address – POSSIBLE BREAK-IN ATTEMPT!
Oct 2 08:22:11 linuxvm01 sshd[57870]: Accepted publickey for sha340 from 10.16.158.249 port 57557 ssh2: RSA-CERT ID sha340 (serial 1568622048) CA ECDSA SHA256:M3wwj3b3ZJ5exhK/TSbek/k1tL5enLNqBxdbMMQn1Ps
Oct 2 08:22:11 linuxvm01 sshd[57870]: pam_unix(sshd:session): session opened for user sha340 by (uid=0)
Oct 2 08:22:15 linuxvm01 sudo: sha340 : TTY=pts/2 ; PWD=/home/sha340 ; USER=root ; COMMAND=/usr/bin/su – root
Oct 2 08:22:15 linuxvm01 sudo: pam_unix(sudo:session): session opened for user root by sha340(uid=0)
Oct 2 08:22:15 linuxvm01 su: pam_unix(su-l:session): session opened for user root by sha340(uid=0)
Oct 2 08:22:48 linuxvm01 sshd[57460]: Accepted password for oracle from 10.16.158.249 port 57548 ssh2
Oct 2 08:22:49 linuxvm01 sshd[57460]: pam_unix(sshd:session): session opened for user oracle by (uid=0)

login as: oracle
Kernel \r on an \m
IBM’s internal systems must only be used for conducting IBM’s business or for purposes authorized by IBM management.
Apmoller’s internal systems must only be used for conducting
Apmoller’s business or for purposes authorized by Apmoller or
IBM management.

You should be aware that it may be a criminal offence to secure
unauthorised access to any program or data in the system or
to make any unauthorised modification to its contents.

If your are not authorised by IBM or IBM management to
access this system, please LOGOFF now.

Use is subject to audit at any time by IBM management.
Unauthorized use of this system is prohibited.

oracle@linuxvm01’s password:
Last failed login: Wed Oct 2 07:56:41 GMT 2019 from 10.16.158.249 on ssh:notty
There were 4 failed login attempts since the last successful login.
Last login: Wed Oct 2 07:44:52 2019
oracle
oracle@linuxvm01:/home/oracle %

Reference:
https://www.linuxquestions.org/questions/linux-security-4/rhel7-unlocking-user-accounts-after-password-failures-4175541196/
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/identity_management_guide/user-unlock

How to Lock User Accounts After Failed Login Attempts


https://unix.stackexchange.com/questions/298292/putty-access-denied
https://www.linuxquestions.org/questions/linux-newbie-8/ssh-access-denied-860680/
https://www.golinuxhub.com/2014/08/how-to-check-lock-status-of-any-user.html
https://www.thegeekdiary.com/unix-linux-how-to-lock-or-disable-an-user-account/

Leave a Reply

Your email address will not be published. Required fields are marked *