Hands-on lab for configuring pam_tally2

Configuring pam_tally2 is super easy because it only requires adding one line to the /etc/pam.d/login file. To make things even easier, you can just copy and paste that line from the example in the pam_tally2 man page. In spite of what I said earlier about bumping the number of failed logins up to 100, we'll keep that number at 4 for now. (I know that you don't want to have to do 100 failed logins in order to demo this.)

1. On either the CentOS or the Ubuntu virtual machine, open the /etc/pam.d/login file for editing. Look for the line that invokes the pam_securetty module. (That should be around line 32 on Ubuntu and around line 2 on CentOS.)

Beneath that line, insert the following line:

        auth required pam_tally2.so deny=4 
        even_deny_root unlock_time=1200

Save the file and exit the editor.

1. For this step, you'll need to log out of your own account because pam_tally2 doesn't work with su. So, log out, and while purposely using the wrong password, attempt to log in to the samson account that you created in the previous lab. Keep doing that until you see the message that the account is locked. Note that when the deny value is set to 4, it will actually take five failed login attempts to lock Samson out.
2. Log back in to your own user account. Run this command and note the output:

        sudo pam_tally2

1. For this step, you'll simulate that you're a help desk worker, and Samson has just called to request that you unlock his account. After verifying that you really are talking to the real Samson, enter the following line:

        sudo pam_tally2 --user=samson --reset
        sudo pam_tally2

1. Now that you've seen how this works, open the /etc/pam.d/login file for editing, and change the deny= parameter from 4 to 100 and save the file.  (This will make your configuration a bit more realistic in terms of modern security philosophy.)