All Products
Search
Document Center

Multiple consecutive incorrect password accesses to Linux instances through SSH

Last Updated: Dec 14, 2020

Disclaimer: This article may contain information about third-party products. Such information is for reference only. Alibaba Cloud does not make any guarantee, express or implied, with respect to the performance and reliability of third-party products, as well as potential impacts of operations on the products.

 

Problem description

This topic describes how to handle the "Maximum amount of failed attempts was reached" error when you log on to a Linux instance through SSH.

 

Possible cause

Consecutive incorrect passwords are entered, which triggers the PAM authentication module policy restriction in the system and results in the user being locked.

Note:

  • PAM(Pluggable Authentication Modules) is an Authentication mechanism proposed by Sun Company. By providing some dynamic link libraries and a set of unified APIs, the service provided by the system is separated from the authentication method of the service. Therefore, the system administrator can flexibly configure different authentication methods for different services according to the requirements, without changing the service program, and it is also convenient to add new authentication methods to the system.
  • If PAM authentication also restricts the root user, after the root user is Locked, neither the Linux instance management console nor the SSH remote connection can be logged in normally, and the system prompts "Your account is Locked. Maximum amount of failed attempts was reached." Error, you must log on to the Linux in single-user mode in the Linux instance console and unlock the root user.

 

Solution

Alibaba Cloud reminds you that:

  • Before you perform operations that may cause risks, such as modifying instance configurations or data, we recommend that you check the disaster recovery and fault tolerance capabilities of the instances to ensure data security.
  • If you modify the configurations and data of instances including but not limited to ECS and RDS instances, we recommend that you create snapshots or enable RDS log backup.
  • If you have authorized or submitted security information such as the logon account and password in the Alibaba Cloud Management console, we recommend that you modify such information in a timely manner.

Depending on the cause of the problem, there are two solutions, the steps are as follows. Configurations and descriptions in this article are tested in CentOS 7.6 64-bit and CentOS 5 64-bit operating systems. The operating system configurations of other types and versions may be different. For more information, see the official documentation of the operating system.

 

Method 1: when the root user is not locked

  1. Refer to the management terminal, log on to the Linux instance as the root user, and run the following command to view the global PAM configuration file of the system.
    cat /etc/pam.d/system-auth
  2. Run the following command to view the PAM configuration file.
    cat /etc/pam.d/login
  3. Run the following command to view the PAM configuration file of the SSH service.
    cat /etc/pam.d/sshd
  4. Run the vi or vim command to edit the content in the preceding files. Comment out, modify, or delete the following codes in these files.
    Note: take the comments as an example.
    auth required pam_tally2.so deny=3 unlock_time=5# Source code
    # auth required pam_tally2.so deny=3 unlock_time=5# After the comments
    auth required pam_tally . So onerr=fail no_magic_root# Source code
    # auth required pam_tally.so onerr=fail no_magic_root# After the comments
    auth requeired pam_tally2.so deny=5 lock_time=30 unlock_time=10 even_deny_root root_unlock_time=10# Source code
    # auth requeired pam_tally2.so deny=5 lock_time=30 unlock_time=10 even_deny_root root_unlock_time=10# After the comments
    Note:
    • In this example, the pam_tall 2 module is used. If the pam_tall 2 module is not supported, you can use the pam_expiration module. In addition, the settings may vary with different PAM versions. For the specific usage method, see the usage rules of related modules.
    • Both pam_thyroid and pam_thyroid can be used to control account lockout policies. The difference between the two is that the former increases the function of automatic unlocking time.
    • even_deny_root: the root user.
    • deny indicates the maximum number of consecutive incorrect logon attempts of the common user and root users. If the maximum number of logon attempts is exceeded, the user is locked.
    • unlock_time: the period of time after the common user is locked. The unit is seconds.
    • root_unlock_time: specifies the time period after the root user is locked. The unit is seconds.
  5. Use SSH on the client to remotely test the connection.

 

Method 2: when the root user is locked

  1. Refer to the management terminal to log on in single user mode. In single-user mode, run the following commands in sequence to manually unlock the root user:
    pam_tally2 -u root# displays the number of consecutive incorrect logon attempts of the root user.
    pam_tally2 -u root -r# clears the root user password for the number of consecutive input errors.
    authconfig --disableldap --update# updates PAM security authentication records.
  2. After you restart the instance, modify, or modify the corresponding PAM configuration file based on Method 1.

 

Reference

For more information about PAM authentication, see the following official documents.

 

Application scope

  • ECS