Linux users are getting locked very frequently?

Jan 29 05:40:41 hklvadapp005 sshd[26279]: Received disconnect from 10.20.225.137: 11: disconnected by user
Jan 29 05:40:41 hklvadapp005 sshd[26275]: pam_unix(sshd:session): session closed for user distadm1
Jan 29 13:26:46 hklvadapp005 sshd[28345]: Accepted keyboard-interactive/pam for npwebmadmn from 10.140.142.40 port 64855 ssh2
Jan 29 13:26:48 hklvadapp005 sshd[28345]: pam_unix(sshd:session): session opened for user npwebmadmn by (uid=0)
Jan 29 13:27:01 hklvadapp005 sshd[28383]: Accepted keyboard-interactive/pam for npwebmadmn from 10.140.142.40 port 64867 ssh2
Jan 29 13:27:02 hklvadapp005 sshd[28383]: pam_unix(sshd:session): session opened for user npwebmadmn by (uid=0)
Jan 29 14:47:37 hklvadapp005 sshd[28383]: pam_unix(sshd:session): session closed for user npwebmadmn
Jan 29 15:09:01 hklvadapp005 sshd[16181]: Accepted keyboard-interactive/pam for npwebmadmn from 10.140.142.40 port 52237 ssh2
Jan 29 15:09:02 hklvadapp005 sshd[16181]: pam_unix(sshd:session): session opened for user npwebmadmn by (uid=0)
Jan 29 15:14:35 hklvadapp005 sshd[17920]: pam_tally2(sshd:auth): user npwebmadmn (5001) tally 10, deny 9
Jan 29 15:32:10 hklvadapp005 sshd[16181]: pam_unix(sshd:session): session closed for user npwebmadmn
Jan 29 16:32:19 hklvadapp005 sshd[2323]: fatal: Read from socket failed: Connection reset by peer [preauth]
Jan 29 16:32:25 hklvadapp005 sshd[2433]: pam_tally2(sshd:auth): user npwebmadmn (5001) tally 12, deny 9
Jan 29 16:32:32 hklvadapp005 sshd[2433]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.140.142.40  user=npwebmadmn
Jan 29 16:32:35 hklvadapp005 sshd[2427]: error: PAM: Authentication failure for npwebmadmn from 10.140.142.40
Jan 29 16:32:36 hklvadapp005 sshd[2440]: pam_tally2(sshd:auth): user npwebmadmn (5001) tally 13, deny 9
Jan 29 16:32:36 hklvadapp005 sshd[2427]: Postponed keyboard-interactive for npwebmadmn from 10.140.142.40 port 55071 ssh2 [preauth]
Jan 29 19:12:25 hklvadapp005 sshd[2918]: Accepted keyboard-interactive/pam for npwebmadmn from 10.128.113.242 port 50885 ssh2
Jan 29 19:12:26 hklvadapp005 sshd[2918]: pam_unix(sshd:session): session opened for user npwebmadmn by (uid=0)
Jan 29 19:27:27 hklvadapp005 sshd[2918]: pam_unix(sshd:session): session closed for user npwebmadmn
Jan 29 21:37:13 hklvadapp005 sshd[28354]: Timeout, client not responding.
Jan 29 21:37:13 hklvadapp005 sshd[28345]: pam_unix(sshd:session): session closed for user npwebmadmn

Jan 30 09:22:38 hklvadapp005 sshd[16257]: Accepted keyboard-interactive/pam for npwebmadmn from 10.128.114.188 port 64556 ssh2
Jan 30 09:22:39 hklvadapp005 sshd[16257]: pam_unix(sshd:session): session opened for user npwebmadmn by (uid=0)
Jan 30 09:25:06 hklvadapp005 sshd[16469]: pam_tally2(sshd:auth): user npwebmadmn (5001) tally 16, deny 9
Jan 30 09:25:15 hklvadapp005 sshd[16464]: error: PAM: Authentication failure for npwebmadmn from 10.128.114.188
Jan 30 09:25:16 hklvadapp005 sshd[16475]: pam_tally2(sshd:auth): user npwebmadmn (5001) tally 17, deny 9
Jan 30 09:25:16 hklvadapp005 sshd[16464]: Postponed keyboard-interactive for npwebmadmn from 10.128.114.188 port 63117 ssh2 [preauth]
Jan 30 09:42:06 hklvadapp005 sshd[16257]: pam_unix(sshd:session): session closed for user npwebmadmn
Jan 30 12:14:49 hklvadapp005 sshd[18713]: Accepted keyboard-interactive/pam for a1549239 from 10.128.114.96 port 51647 ssh2
Jan 30 12:14:49 hklvadapp005 sshd[18713]: pam_unix(sshd:session): session opened for user a1549239 by (uid=0)
Jan 30 12:34:50 hklvadapp005 sshd[18713]: pam_unix(sshd:session): session closed for user a1549239
Jan 30 14:40:06 hklvadapp005 sshd[15809]: Invalid user a1557275 from 10.128.115.165
Jan 30 14:40:06 hklvadapp005 sshd[15809]: input_userauth_request: invalid user a1557275 [preauth]
Jan 30 14:40:09 hklvadapp005 sshd[15830]: pam_tally2(sshd:auth): pam_get_uid; no such user
Jan 30 14:40:09 hklvadapp005 sshd[15809]: Postponed keyboard-interactive for invalid user a1557275 from 10.128.115.165 port 50262 ssh2 [preauth]
Jan 30 14:40:09 hklvadapp005 sshd[15830]: pam_unix(sshd:auth): check pass; user unknown
Jan 30 14:40:09 hklvadapp005 sshd[15830]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.128.115.165
Jan 30 14:40:11 hklvadapp005 sshd[15809]: error: PAM: User not known to the underlying authentication module for illegal user a1557275 from 10.128.115.165
Jan 30 14:40:11 hklvadapp005 sshd[15809]: Failed keyboard-interactive/pam for invalid user a1557275 from 10.128.115.165 port 50262 ssh2
Jan 30 14:40:12 hklvadapp005 sshd[15833]: pam_tally2(sshd:auth): pam_get_uid; no such user
Jan 30 14:40:12 hklvadapp005 sshd[15809]: Postponed keyboard-interactive for invalid user a1557275 from 10.128.115.165 port 50262 ssh2 [preauth]
Jan 30 14:40:12 hklvadapp005 sshd[15833]: pam_unix(sshd:auth): check pass; user unknown
Jan 30 14:40:12 hklvadapp005 sshd[15833]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.128.115.165
Jan 30 14:40:14 hklvadapp005 sshd[15809]: error: PAM: User not known to the underlying authentication module for illegal user a1557275 from 10.128.115.165
Jan 30 14:40:14 hklvadapp005 sshd[15809]: Failed keyboard-interactive/pam for invalid user a1557275 from 10.128.115.165 port 50262 ssh2
Jan 30 14:40:15 hklvadapp005 sshd[15834]: pam_tally2(sshd:auth): pam_get_uid; no such user
Jan 30 14:40:15 hklvadapp005 sshd[15809]: Postponed keyboard-interactive for invalid user a1557275 from 10.128.115.165 port 50262 ssh2 [preauth]
Jan 30 15:05:48 hklvadapp005 sshd[22118]: Accepted keyboard-interactive/pam for npwebmadmn from 10.128.115.165 port 59550 ssh2
Jan 30 15:05:48 hklvadapp005 sshd[22118]: pam_unix(sshd:session): session opened for user npwebmadmn by (uid=0)
Jan 30 15:42:29 hklvadapp005 sshd[22128]: Timeout, client not responding.
Jan 30 15:42:29 hklvadapp005 sshd[22118]: pam_unix(sshd:session): session closed for user npwebmadmn
Jan 30 17:32:33 hklvadapp005 sshd[18218]: Accepted keyboard-interactive/pam for npwebmadmn from 10.128.115.91 port 54911 ssh2
Jan 30 17:32:34 hklvadapp005 sshd[18218]: pam_unix(sshd:session): session opened for user npwebmadmn by (uid=0)
Jan 30 17:39:04 hklvadapp005 sshd[20666]: Invalid user npwedmadmn from 10.140.142.40
Jan 30 17:39:04 hklvadapp005 sshd[20666]: input_userauth_request: invalid user npwedmadmn [preauth]
Jan 30 17:39:07 hklvadapp005 sshd[20675]: pam_tally2(sshd:auth): pam_get_uid; no such user
Jan 30 17:39:07 hklvadapp005 sshd[20666]: Postponed keyboard-interactive for invalid user npwedmadmn from 10.140.142.40 port 63205 ssh2 [preauth]
Jan 30 17:39:07 hklvadapp005 sshd[20675]: pam_unix(sshd:auth): check pass; user unknown
Jan 30 17:39:07 hklvadapp005 sshd[20675]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.140.142.40
Jan 30 17:39:09 hklvadapp005 sshd[20666]: error: PAM: User not known to the underlying authentication module for illegal user npwedmadmn from 10.140.142.40
Jan 30 17:39:09 hklvadapp005 sshd[20666]: Failed keyboard-interactive/pam for invalid user npwedmadmn from 10.140.142.40 port 63205 ssh2
Jan 30 17:39:11 hklvadapp005 sshd[20677]: pam_tally2(sshd:auth): pam_get_uid; no such user
Jan 30 17:39:11 hklvadapp005 sshd[20666]: Postponed keyboard-interactive for invalid user npwedmadmn from 10.140.142.40 port 63205 ssh2 [preauth]
Jan 30 17:39:11 hklvadapp005 sshd[20677]: pam_unix(sshd:auth): check pass; user unknown
Jan 30 17:39:11 hklvadapp005 sshd[20677]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.140.142.40
Jan 30 17:39:13 hklvadapp005 sshd[20666]: error: PAM: User not known to the underlying authentication module for illegal user npwedmadmn from 10.140.142.40
Jan 30 17:39:13 hklvadapp005 sshd[20666]: Failed keyboard-interactive/pam for invalid user npwedmadmn from 10.140.142.40 port 63205 ssh2
Jan 30 17:39:14 hklvadapp005 sshd[20680]: pam_tally2(sshd:auth): pam_get_uid; no such user
Jan 30 17:39:14 hklvadapp005 sshd[20666]: Postponed keyboard-interactive for invalid user npwedmadmn from 10.140.142.40 port 63205 ssh2 [preauth]
Jan 30 17:39:59 hklvadapp005 sshd[20733]: pam_tally2(sshd:auth): user npwebmadmn (5001) tally 20, deny 9
Jan 30 17:49:25 hklvadapp005 sshd[18218]: pam_unix(sshd:session): session closed for user npwebmadmn
Jan 30 18:03:22 hklvadapp005 sshd[26745]: Accepted keyboard-interactive/pam for npwebmadmn from 10.140.142.40 port 63985 ssh2
Jan 30 18:03:23 hklvadapp005 sshd[26745]: pam_unix(sshd:session): session opened for user npwebmadmn by (uid=0)
Jan 30 18:03:42 hklvadapp005 sshd[26813]: pam_tally2(sshd:auth): user npwebmadmn (5001) tally 22, deny 9
Jan 30 18:04:00 hklvadapp005 sshd[26828]: pam_tally2(sshd:auth): user npwebmadmn (5001) tally 23, deny 9
Jan 30 18:04:08 hklvadapp005 sshd[26822]: error: PAM: Authentication failure for npwebmadmn from 10.140.142.40
Jan 30 18:04:08 hklvadapp005 sshd[26840]: pam_tally2(sshd:auth): user npwebmadmn (5001) tally 24, deny 9
Jan 30 18:04:08 hklvadapp005 sshd[26822]: Postponed keyboard-interactive for npwebmadmn from 10.140.142.40 port 64040 ssh2 [preauth]
Jan 30 18:04:21 hklvadapp005 sshd[26822]: error: PAM: Authentication failure for npwebmadmn from 10.140.142.40
Jan 30 18:04:21 hklvadapp005 sshd[26822]: Failed keyboard-interactive/pam for npwebmadmn from 10.140.142.40 port 64040 ssh2
Jan 30 18:04:22 hklvadapp005 sshd[26850]: pam_tally2(sshd:auth): user npwebmadmn (5001) tally 25, deny 9
Jan 30 18:04:22 hklvadapp005 sshd[26822]: Postponed keyboard-interactive for npwebmadmn from 10.140.142.40 port 64040 ssh2 [preauth]
Jan 30 18:05:12 hklvadapp005 sshd[26906]: Accepted publickey for devops from 10.23.216.164 port 55702 ssh2: RSA 11:e4:3d:68:12:f8:1f:0d:e2:aa:31:62:bf:c1:12:a5

Open in new window


The user npwebmadmn is getting locked automatically very frequently....but when i execute below command it is getting unlocked automatically?

pam_tally2  --user=npwebmadmn --reset


so is there anywere do i need to pam_tally2 seetings to aviod this? please suggest
LVL 1
BharathKumarRaju DasaraRajuDevops EngineerAsked:
Who is Participating?
 
remeshkConnect With a Mentor Commented:
Have you reset this user password recently ?

From the logs we could see the user npwedmadmn is login from multiple servers like 10.140.142.40 , 10.128.115.91 , 10.128.115.165.

Also please make sure  you have not hard-coded user password of any of the script or monitoring etc..
0
 
Prabhin MPEngineer-TechOPSCommented:
0
 
BharathKumarRaju DasaraRajuDevops EngineerAuthor Commented:
be


root@hklvadapp005[pam.d] # pwd
/etc/pam.d
root@hklvadapp005[pam.d] # cat system-auth
# lines inserted by Centrify Direct Control { CentrifyDC 5.3.1-411 }
auth    sufficient      pam_centrifydc.so
auth    requisite       pam_centrifydc.so deny
account sufficient      pam_centrifydc.so
account requisite       pam_centrifydc.so deny
session required        pam_centrifydc.so homedir
password        sufficient      pam_centrifydc.so try_first_pass
password        requisite       pam_centrifydc.so deny
#
# Copyright (C) Standard Chartered Bank
# Global Platform Engineering
#
# $URL: http://unixportal/svn/unix/OS_standard_builds/SCBbuild.el7/trunk/post.d/SOURCE/etc/pam.d/system-auth $
#
# $LastChangedBy: 1358674 $
# $LastChangedDate: 2016-09-12 07:03:23 +0000 (Mon, 12 Sep 2016) $
# $LastChangedRevision: 2738 $
#
# %PAM-1.0
#
auth        required      pam_env.so
auth        required      pam_tally2.so deny=9 onerr=fail unlock_time=900
auth        sufficient    pam_unix.so nullok
auth        required      pam_deny.so
#
account     required      pam_unix.so
account     sufficient    pam_localuser.so
#
password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=12
password    required      pam_deny.so
#
session     optional      pam_keyinit.so revoke
8session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     required      pam_mkhomedir.so skel=/etc/skel umask=0022
root@hklvadapp005[pam.d] #

Open in new window




root@hklvadapp005[pam.d] # cat password-auth
# lines inserted by Centrify Direct Control { CentrifyDC 5.3.1-411 }
auth    sufficient      pam_centrifydc.so
auth    requisite       pam_centrifydc.so deny
account sufficient      pam_centrifydc.so
account requisite       pam_centrifydc.so deny
session required        pam_centrifydc.so homedir
password        sufficient      pam_centrifydc.so try_first_pass
password        requisite       pam_centrifydc.so deny
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
root@hklvadapp005[pam.d] #

Open in new window

0
 
BharathKumarRaju DasaraRajuDevops EngineerAuthor Commented:
Any idea guys?
0
 
BharathKumarRaju DasaraRajuDevops EngineerAuthor Commented:
yes it is fixed now.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.