Resolve the "Maximum amount of failed attempts was reached" error

更新时间:
复制 MD 格式

This topic describes the causes of and solutions for the "Maximum amount of failed attempts was reached" error when you connect to a Linux ECS instance with an SSH client.

Problem description

When you connect to a Linux ECS instance with an SSH client, you receive the error message "Maximum amount of failed attempts was reached".

Cause

This issue occurs because multiple consecutive failed password attempts trigger the system's Pluggable Authentication Modules (PAM) security policy. This policy locks the user account and prevents remote connections to the ECS instance.

Note

In Linux, the following three PAM configuration files are primarily related to SSH. If PAM authentication is configured to restrict remote connections, for example, with the settingauth required pam_tally2.so deny=3 unlock_time=50, it locks an account for 50 seconds after three consecutive failed login attempts by a regular or root user.

  • /etc/pam.d/login: The PAM configuration file for VNC.

  • /etc/pam.d/sshd: The PAM configuration file for the SSH service.

  • /etc/pam.d/system-auth: The system-wide PAM configuration file.

Solution

Select a solution based on whether the root user is locked.

The root user is not locked

This section shows how to comment out the PAM restriction in the system-wide PAM configuration file (/etc/pam.d/system-auth). A similar method applies to/etc/pam.d/sshd or/etc/pam.d/login.

  1. Connect to the instance as the root user using VNC.

    For more information, see Log on to a Linux instance by using a password.

  2. Run the following command to check the PAM configuration file for authentication restrictions.

    cat /etc/pam.d/system-auth

    For example, the following output indicates that if a regular user or the root user enters an incorrect password three consecutive times, the account is locked for 50 seconds.

    auth        required                                     pam_faildelay.so delay=2000000
    auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
    auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
    auth        sufficient                                   pam_unix.so nullok
    auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
    auth        sufficient                                   pam_sss.so forward_pass
    auth        required                                     pam_deny.so
    auth        required                                     pam_tally2.so deny=3 unlock_time=50
    account     required                                     pam_unix.so no_pass_expiry
    account     sufficient                                   pam_localuser.so
    account     sufficient                                   pam_usertype.so issystem
    account     [default=bad success=ok user_unknown=ignore] pam_sss.so
    account     required                                     pam_permit.so
  3. Modify the system-auth configuration file.

    1. Run the following command to open the system-auth configuration file.

      vim /etc/pam.d/system-auth
    2. Pressi to enter Insert mode.

    3. As needed, comment out, modify, or delete the configuration.

      This example comments out the configuration.

      auth required pam_tally2.so deny=3 unlock_time=50            # Original line: Locks the user account after three consecutive failed login attempts. The account is unlocked after 50 seconds.
      #auth required pam_tally2.so deny=3 unlock_time=50           # After commenting out                          
      Note
      • This example uses thepam_tally2 module. Ifpam_tally2 is not supported, you can use thepam_tally module. Settings can vary by PAM version. For specific usage, refer to the documentation for the relevant module. For more information, seeLinux PAM SAG.

      • Both thepam_tally2 andpam_tally modules can be used for account lockout policy control, butpam_tally2 supports automatic unlocking after a specified time.

      • even_deny_root restricts the root user.

      • deny sets the maximum number of consecutive failed login attempts for regular and root users before the user account is locked.

      • unlock_time sets the automatic unlock duration in seconds for a locked regular user account.

      • root_unlock_time sets the automatic unlock duration in seconds for a locked root user account.

  4. Try to connect to the instance again. The issue is resolved if the connection is successful.

The root user is locked

  1. Connect to the instance in single-user mode.

    For more information, seeEnter single-user mode on a Linux instance.

  2. Run the following commands to unlock the root user.

    pam_tally2 -u root                          # Check the number of consecutive failed login attempts for the root user.
    pam_tally2 -u root -r                       # Clear the count of consecutive failed login attempts for the root user.
    authconfig --disableldap --update           # Update the PAM security authentication records.
  3. Reboot the instance.

    For more information, seeReboot an instance.

  4. In the relevant PAM configuration file, comment out, modify, or delete the corresponding configuration.

    For detailed steps, seeThe root user is not locked.

  5. Try to connect to the instance again. The issue is resolved if the connection is successful.