RHEL6 pam_tally2 lockouts

[Johan Booysen]

I'm trying to set up a RHEL6 server for sftp access only.  So far it
works very well, but I can't seem to get pam_tally2 set up to lock user
accounts after so many unsuccessful login attempts.

 

As far as I could find out, it should work if I add the following lines
to /etc/pam.d/system-auth:

 

Last line in the auth section:

auth        required      pam_tally2.so deny=3 onerr=fail

 

Last line in the account section:

account     required      pam_tally2.so

 

According to the pam_tally2 man page this should log failed attempts in
/var/log/tallylog, but when I deliberately log in with nonsense
usernames/password, I get absolutely nothing in the tallylog file.
Hence running the pam_tally2 command with no options produces no
results.

 

/var/log/secure shows me entries such as:

 

Jan 10 15:16:26 rhel6 sshd[1918]: Failed password for test from
192.x.x.x port 4467 ssh2

Jan 10 15:16:29 rhel6 sshd[1918]: Failed password for test from 192.x.x.
port 4467 ssh2

Jan 10 15:16:29 rhel6 sshd[1919]: Disconnecting: Too many authentication
failures for test

Jan 10 15:16:29 rhel6 sshd[1918]: PAM 1 more authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=mc23.xxxxx.int  user=test

 

In /etc/ssh/sshd_config I've got

 

UsePAM yes

PasswordAuthentication yes

ChallengeResponseAuthentication no

 

I might be missing something silly here, so I'd really appreciate any
advice on getting this to work on Red Hat Enterprise Linux 6.

 

Thanks.