Linux users are getting locked very frequently?

Jan 29 05:40:41 hklvadapp005 sshd[26279]: Received disconnect from 10.20.225.137: 11: disconnected by user
Jan 29 05:40:41 hklvadapp005 sshd[26275]: pam_unix(sshd:session): session closed for user distadm1
Jan 29 13:26:46 hklvadapp005 sshd[28345]: Accepted keyboard-interactive/pam for npwebmadmn from 10.140.142.40 port 64855 ssh2
Jan 29 13:26:48 hklvadapp005 sshd[28345]: pam_unix(sshd:session): session opened for user npwebmadmn by (uid=0)
Jan 29 13:27:01 hklvadapp005 sshd[28383]: Accepted keyboard-interactive/pam for npwebmadmn from 10.140.142.40 port 64867 ssh2
Jan 29 13:27:02 hklvadapp005 sshd[28383]: pam_unix(sshd:session): session opened for user npwebmadmn by (uid=0)
Jan 29 14:47:37 hklvadapp005 sshd[28383]: pam_unix(sshd:session): session closed for user npwebmadmn
Jan 29 15:09:01 hklvadapp005 sshd[16181]: Accepted keyboard-interactive/pam for npwebmadmn from 10.140.142.40 port 52237 ssh2
Jan 29 15:09:02 hklvadapp005 sshd[16181]: pam_unix(sshd:session): session opened for user npwebmadmn by (uid=0)
Jan 29 15:14:35 hklvadapp005 sshd[17920]: pam_tally2(sshd:auth): user npwebmadmn (5001) tally 10, deny 9
Jan 29 15:32:10 hklvadapp005 sshd[16181]: pam_unix(sshd:session): session closed for user npwebmadmn
Jan 29 16:32:19 hklvadapp005 sshd[2323]: fatal: Read from socket failed: Connection reset by peer [preauth]
Jan 29 16:32:25 hklvadapp005 sshd[2433]: pam_tally2(sshd:auth): user npwebmadmn (5001) tally 12, deny 9
Jan 29 16:32:32 hklvadapp005 sshd[2433]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.140.142.40  user=npwebmadmn
Jan 29 16:32:35 hklvadapp005 sshd[2427]: error: PAM: Authentication failure for npwebmadmn from 10.140.142.40
Jan 29 16:32:36 hklvadapp005 sshd[2440]: pam_tally2(sshd:auth): user npwebmadmn (5001) tally 13, deny 9
Jan 29 16:32:36 hklvadapp005 sshd[2427]: Postponed keyboard-interactive for npwebmadmn from 10.140.142.40 port 55071 ssh2 [preauth]
Jan 29 19:12:25 hklvadapp005 sshd[2918]: Accepted keyboard-interactive/pam for npwebmadmn from 10.128.113.242 port 50885 ssh2
Jan 29 19:12:26 hklvadapp005 sshd[2918]: pam_unix(sshd:session): session opened for user npwebmadmn by (uid=0)
Jan 29 19:27:27 hklvadapp005 sshd[2918]: pam_unix(sshd:session): session closed for user npwebmadmn
Jan 29 21:37:13 hklvadapp005 sshd[28354]: Timeout, client not responding.
Jan 29 21:37:13 hklvadapp005 sshd[28345]: pam_unix(sshd:session): session closed for user npwebmadmn

Jan 30 09:22:38 hklvadapp005 sshd[16257]: Accepted keyboard-interactive/pam for npwebmadmn from 10.128.114.188 port 64556 ssh2
Jan 30 09:22:39 hklvadapp005 sshd[16257]: pam_unix(sshd:session): session opened for user npwebmadmn by (uid=0)
Jan 30 09:25:06 hklvadapp005 sshd[16469]: pam_tally2(sshd:auth): user npwebmadmn (5001) tally 16, deny 9
Jan 30 09:25:15 hklvadapp005 sshd[16464]: error: PAM: Authentication failure for npwebmadmn from 10.128.114.188
Jan 30 09:25:16 hklvadapp005 sshd[16475]: pam_tally2(sshd:auth): user npwebmadmn (5001) tally 17, deny 9
Jan 30 09:25:16 hklvadapp005 sshd[16464]: Postponed keyboard-interactive for npwebmadmn from 10.128.114.188 port 63117 ssh2 [preauth]
Jan 30 09:42:06 hklvadapp005 sshd[16257]: pam_unix(sshd:session): session closed for user npwebmadmn
Jan 30 12:14:49 hklvadapp005 sshd[18713]: Accepted keyboard-interactive/pam for a1549239 from 10.128.114.96 port 51647 ssh2
Jan 30 12:14:49 hklvadapp005 sshd[18713]: pam_unix(sshd:session): session opened for user a1549239 by (uid=0)
Jan 30 12:34:50 hklvadapp005 sshd[18713]: pam_unix(sshd:session): session closed for user a1549239
Jan 30 14:40:06 hklvadapp005 sshd[15809]: Invalid user a1557275 from 10.128.115.165
Jan 30 14:40:06 hklvadapp005 sshd[15809]: input_userauth_request: invalid user a1557275 [preauth]
Jan 30 14:40:09 hklvadapp005 sshd[15830]: pam_tally2(sshd:auth): pam_get_uid; no such user
Jan 30 14:40:09 hklvadapp005 sshd[15809]: Postponed keyboard-interactive for invalid user a1557275 from 10.128.115.165 port 50262 ssh2 [preauth]
Jan 30 14:40:09 hklvadapp005 sshd[15830]: pam_unix(sshd:auth): check pass; user unknown
Jan 30 14:40:09 hklvadapp005 sshd[15830]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.128.115.165
Jan 30 14:40:11 hklvadapp005 sshd[15809]: error: PAM: User not known to the underlying authentication module for illegal user a1557275 from 10.128.115.165
Jan 30 14:40:11 hklvadapp005 sshd[15809]: Failed keyboard-interactive/pam for invalid user a1557275 from 10.128.115.165 port 50262 ssh2
Jan 30 14:40:12 hklvadapp005 sshd[15833]: pam_tally2(sshd:auth): pam_get_uid; no such user
Jan 30 14:40:12 hklvadapp005 sshd[15809]: Postponed keyboard-interactive for invalid user a1557275 from 10.128.115.165 port 50262 ssh2 [preauth]
Jan 30 14:40:12 hklvadapp005 sshd[15833]: pam_unix(sshd:auth): check pass; user unknown
Jan 30 14:40:12 hklvadapp005 sshd[15833]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.128.115.165
Jan 30 14:40:14 hklvadapp005 sshd[15809]: error: PAM: User not known to the underlying authentication module for illegal user a1557275 from 10.128.115.165
Jan 30 14:40:14 hklvadapp005 sshd[15809]: Failed keyboard-interactive/pam for invalid user a1557275 from 10.128.115.165 port 50262 ssh2
Jan 30 14:40:15 hklvadapp005 sshd[15834]: pam_tally2(sshd:auth): pam_get_uid; no such user
Jan 30 14:40:15 hklvadapp005 sshd[15809]: Postponed keyboard-interactive for invalid user a1557275 from 10.128.115.165 port 50262 ssh2 [preauth]
Jan 30 15:05:48 hklvadapp005 sshd[22118]: Accepted keyboard-interactive/pam for npwebmadmn from 10.128.115.165 port 59550 ssh2
Jan 30 15:05:48 hklvadapp005 sshd[22118]: pam_unix(sshd:session): session opened for user npwebmadmn by (uid=0)
Jan 30 15:42:29 hklvadapp005 sshd[22128]: Timeout, client not responding.
Jan 30 15:42:29 hklvadapp005 sshd[22118]: pam_unix(sshd:session): session closed for user npwebmadmn
Jan 30 17:32:33 hklvadapp005 sshd[18218]: Accepted keyboard-interactive/pam for npwebmadmn from 10.128.115.91 port 54911 ssh2
Jan 30 17:32:34 hklvadapp005 sshd[18218]: pam_unix(sshd:session): session opened for user npwebmadmn by (uid=0)
Jan 30 17:39:04 hklvadapp005 sshd[20666]: Invalid user npwedmadmn from 10.140.142.40
Jan 30 17:39:04 hklvadapp005 sshd[20666]: input_userauth_request: invalid user npwedmadmn [preauth]
Jan 30 17:39:07 hklvadapp005 sshd[20675]: pam_tally2(sshd:auth): pam_get_uid; no such user
Jan 30 17:39:07 hklvadapp005 sshd[20666]: Postponed keyboard-interactive for invalid user npwedmadmn from 10.140.142.40 port 63205 ssh2 [preauth]
Jan 30 17:39:07 hklvadapp005 sshd[20675]: pam_unix(sshd:auth): check pass; user unknown
Jan 30 17:39:07 hklvadapp005 sshd[20675]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.140.142.40
Jan 30 17:39:09 hklvadapp005 sshd[20666]: error: PAM: User not known to the underlying authentication module for illegal user npwedmadmn from 10.140.142.40
Jan 30 17:39:09 hklvadapp005 sshd[20666]: Failed keyboard-interactive/pam for invalid user npwedmadmn from 10.140.142.40 port 63205 ssh2
Jan 30 17:39:11 hklvadapp005 sshd[20677]: pam_tally2(sshd:auth): pam_get_uid; no such user
Jan 30 17:39:11 hklvadapp005 sshd[20666]: Postponed keyboard-interactive for invalid user npwedmadmn from 10.140.142.40 port 63205 ssh2 [preauth]
Jan 30 17:39:11 hklvadapp005 sshd[20677]: pam_unix(sshd:auth): check pass; user unknown
Jan 30 17:39:11 hklvadapp005 sshd[20677]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.140.142.40
Jan 30 17:39:13 hklvadapp005 sshd[20666]: error: PAM: User not known to the underlying authentication module for illegal user npwedmadmn from 10.140.142.40
Jan 30 17:39:13 hklvadapp005 sshd[20666]: Failed keyboard-interactive/pam for invalid user npwedmadmn from 10.140.142.40 port 63205 ssh2
Jan 30 17:39:14 hklvadapp005 sshd[20680]: pam_tally2(sshd:auth): pam_get_uid; no such user
Jan 30 17:39:14 hklvadapp005 sshd[20666]: Postponed keyboard-interactive for invalid user npwedmadmn from 10.140.142.40 port 63205 ssh2 [preauth]
Jan 30 17:39:59 hklvadapp005 sshd[20733]: pam_tally2(sshd:auth): user npwebmadmn (5001) tally 20, deny 9
Jan 30 17:49:25 hklvadapp005 sshd[18218]: pam_unix(sshd:session): session closed for user npwebmadmn
Jan 30 18:03:22 hklvadapp005 sshd[26745]: Accepted keyboard-interactive/pam for npwebmadmn from 10.140.142.40 port 63985 ssh2
Jan 30 18:03:23 hklvadapp005 sshd[26745]: pam_unix(sshd:session): session opened for user npwebmadmn by (uid=0)
Jan 30 18:03:42 hklvadapp005 sshd[26813]: pam_tally2(sshd:auth): user npwebmadmn (5001) tally 22, deny 9
Jan 30 18:04:00 hklvadapp005 sshd[26828]: pam_tally2(sshd:auth): user npwebmadmn (5001) tally 23, deny 9
Jan 30 18:04:08 hklvadapp005 sshd[26822]: error: PAM: Authentication failure for npwebmadmn from 10.140.142.40
Jan 30 18:04:08 hklvadapp005 sshd[26840]: pam_tally2(sshd:auth): user npwebmadmn (5001) tally 24, deny 9
Jan 30 18:04:08 hklvadapp005 sshd[26822]: Postponed keyboard-interactive for npwebmadmn from 10.140.142.40 port 64040 ssh2 [preauth]
Jan 30 18:04:21 hklvadapp005 sshd[26822]: error: PAM: Authentication failure for npwebmadmn from 10.140.142.40
Jan 30 18:04:21 hklvadapp005 sshd[26822]: Failed keyboard-interactive/pam for npwebmadmn from 10.140.142.40 port 64040 ssh2
Jan 30 18:04:22 hklvadapp005 sshd[26850]: pam_tally2(sshd:auth): user npwebmadmn (5001) tally 25, deny 9
Jan 30 18:04:22 hklvadapp005 sshd[26822]: Postponed keyboard-interactive for npwebmadmn from 10.140.142.40 port 64040 ssh2 [preauth]
Jan 30 18:05:12 hklvadapp005 sshd[26906]: Accepted publickey for devops from 10.23.216.164 port 55702 ssh2: RSA 11:e4:3d:68:12:f8:1f:0d:e2:aa:31:62:bf:c1:12:a5

Open in new window


The user npwebmadmn is getting locked automatically very frequently....but when i execute below command it is getting unlocked automatically?

pam_tally2  --user=npwebmadmn --reset


so is there anywere do i need to pam_tally2 seetings to aviod this? please suggest
LVL 1
BharathKumarRaju DasaraRajuDevops EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Prabhin MPEngineer-TechOPSCommented:
0
BharathKumarRaju DasaraRajuDevops EngineerAuthor Commented:
be


root@hklvadapp005[pam.d] # pwd
/etc/pam.d
root@hklvadapp005[pam.d] # cat system-auth
# lines inserted by Centrify Direct Control { CentrifyDC 5.3.1-411 }
auth    sufficient      pam_centrifydc.so
auth    requisite       pam_centrifydc.so deny
account sufficient      pam_centrifydc.so
account requisite       pam_centrifydc.so deny
session required        pam_centrifydc.so homedir
password        sufficient      pam_centrifydc.so try_first_pass
password        requisite       pam_centrifydc.so deny
#
# Copyright (C) Standard Chartered Bank
# Global Platform Engineering
#
# $URL: http://unixportal/svn/unix/OS_standard_builds/SCBbuild.el7/trunk/post.d/SOURCE/etc/pam.d/system-auth $
#
# $LastChangedBy: 1358674 $
# $LastChangedDate: 2016-09-12 07:03:23 +0000 (Mon, 12 Sep 2016) $
# $LastChangedRevision: 2738 $
#
# %PAM-1.0
#
auth        required      pam_env.so
auth        required      pam_tally2.so deny=9 onerr=fail unlock_time=900
auth        sufficient    pam_unix.so nullok
auth        required      pam_deny.so
#
account     required      pam_unix.so
account     sufficient    pam_localuser.so
#
password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=12
password    required      pam_deny.so
#
session     optional      pam_keyinit.so revoke
8session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     required      pam_mkhomedir.so skel=/etc/skel umask=0022
root@hklvadapp005[pam.d] #

Open in new window




root@hklvadapp005[pam.d] # cat password-auth
# lines inserted by Centrify Direct Control { CentrifyDC 5.3.1-411 }
auth    sufficient      pam_centrifydc.so
auth    requisite       pam_centrifydc.so deny
account sufficient      pam_centrifydc.so
account requisite       pam_centrifydc.so deny
session required        pam_centrifydc.so homedir
password        sufficient      pam_centrifydc.so try_first_pass
password        requisite       pam_centrifydc.so deny
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
root@hklvadapp005[pam.d] #

Open in new window

0
BharathKumarRaju DasaraRajuDevops EngineerAuthor Commented:
Any idea guys?
0
remeshkCommented:
Have you reset this user password recently ?

From the logs we could see the user npwedmadmn is login from multiple servers like 10.140.142.40 , 10.128.115.91 , 10.128.115.165.

Also please make sure  you have not hard-coded user password of any of the script or monitoring etc..
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BharathKumarRaju DasaraRajuDevops EngineerAuthor Commented:
yes it is fixed now.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.