To configure the system to lock out accounts after a number of incorrect login attempts using 'pam_faillock.so', modify the content of both '/etc/pam.d/system-auth' and '/etc/pam.d/password-auth' as follows: add the following line immediately 'before' the 'pam_unix.so' statement in the 'AUTH' section: auth required pam_faillock.so preauth silent deny=3 unlock_time=1800 fail_interval=900 add the following line immediately 'after' the 'pam_unix.so' statement in the 'AUTH' section: auth [default=die] pam_faillock.so authfail deny=3 unlock_time=1800 fail_interval=900 add the following line immediately 'before' the 'pam_unix.so' statement in the 'ACCOUNT' section: account required pam_faillock.so

[3_failed_attempts]

Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks.