The maintenance program for pam_tally.so. pam_tally is a PAM module intended to deny further authentication attempts after a given count of failed authentications.

pam_tally(8) can list and reset the accumulated counts. Note that this only uses a local file (defaults to /var/adm/faillog) and has no facility to use LDAP or similar systems to combine results from several machines (or a cluster).

pam_tally provides a subset of the functionality of pam_abl, but where pam_tally simply counts failing usernames, pam_abl allows for:

• counting failing hosts as well as usernames (my logs show the same attacking hostnames trying lots of different usernames rather than the other way round)
• configurable time-based failures (e.g. record a failure if the user or host fails 5 times in an hour or 10 in a day)
• configurable time-based auto-purging of failure database

On the other hand, pam_abl seems to have 2 issues at the moment:

• some users (including TomGreen?) report failures not being recorded in database (fixed in current CVS from SourceForge?)
• an issue with OpenSSH where failures don't seem to be recorded