What should I do if the error "Maximum amount of failed attempts was reached" is displayed?

Problem Description

When using the SSH client to remotely connect to the ECS instance of the Linux system, the error "Maximum amount of failed attempts was reached" is displayed.

Problem Causes

Entering wrong passwords multiple times in a row triggers the policy restriction of the PAM authentication module of the system, resulting in the user being locked out and unable to remotely connect to the ECS instance.

Explain that there are three main PAM configuration files related to SSH in the Linux system. If PAM authentication restricts remote connections, such as setting auth required pam_tally2.so deny=3 unlock_time=50, it means that ordinary users and root users enter If the password is wrong, the ECS instance can be remotely connected again after 50 seconds.

/etc/pam.d/login: PAM configuration file corresponding to VNC.

/etc/pam.d/sshd: PAM configuration file corresponding to the SSH service.

/etc/pam.d/system-auth: System global PAM configuration file.

Solution

You can choose a specific solution to repair according to whether the root user is locked.

• The root user is not locked out

• The root user is locked out

The root user is not locked out

This article takes the PAM restriction configuration in the global PAM configuration file (/etc/pam.d/system-auth) of the annotation system as an example to illustrate, modify the /etc/pam.d/sshd or /etc/pam.d/system-auth method similar.

1. Use the root user to connect to the instance through VNC.

2. Run the following command to check whether there are PAM authentication restrictions in the PAM configuration file.

cat /etc/pam.d/system-auth

For example, if the system returns the following information, it means that common users and root users enter wrong passwords three times in a row, and it takes 50 seconds to remotely connect to the ECS instance again.

3. Modify the system-auth configuration file.

a. Run the following command to open the system-auth configuration file.

vim /etc/pam.d/system-auth

b. Press i to enter edit mode.

c. Comment, modify, or delete the configuration according to business needs.

This article uses annotation configuration as an example to illustrate.

auth required pam_tally2.so deny=3 unlock_time=50 #Original code: ordinary users and root users will be locked if they enter wrong passwords three times in a row, and they will be unlocked after 50 seconds.
#auth required pam_tally2.so deny=3 unlock_time=50 #After comment

illustrate
The pam_tally2 module is used here. If the pam_tally2 module is not supported, the pam_tally module can be used. In addition, different PAM versions may have different settings. For specific usage methods, please refer to the usage rules of related modules. See the Linux PAM SAG for more details.

Both the pam_tally2 and pam_tally modules can be used for account lockout policy control. The difference between the two is that the former adds the function of automatic unlock time.

even_deny_root refers to restricting the root user.

deny refers to setting the maximum number of consecutive wrong logins for ordinary users and root users. If the number exceeds the maximum number, the user will be locked.

unlock_time refers to how long it will take to unlock after setting ordinary users to lock, the unit is second.

root_unlock_time refers to how long it takes to unlock after setting the root user to lock, the unit is second.

4. If the error no longer occurs after remote connection to the instance, it means that the problem has been fixed.

root user is locked

1. Remotely connect to the instance using single-user mode.

2. Run the following commands in sequence to unlock the root user.

pam_tally2 -u root #View the number of times the root user login password has been entered incorrectly.
pam_tally2 -u root -r #Clear the number of consecutive incorrect password entries for the root user.
authconfig --disableldap --update #Update PAM security authentication records.

3. Restart the instance.

4. Comment, modify or delete the corresponding configuration in the corresponding PAM configuration file.

5. If the error no longer occurs after remote connection to the instance, it means that the problem has been fixed.