Post History

Authentication events such as logging in are ultimately handled by PAM, the Linux [Pluggable Authentication Modules](https://github.com/linux-pam/linux-pam) project. PAM is very flexible and different Linux distributions will ship with different PAM configurations.

The [Arch documentation](https://wiki.archlinux.org/title/PAM) describes how PAM is set up for Arch. In 2020, Arch [switched](https://gitlab.archlinux.org/archlinux/packaging/packages/pambase/-/commit/6c964448235c932b5e42b5245ec38e106448044a) to using the `pam_faillock.so` module to handle counting authentication failures (the previously-used module, `pam_tally2.so`, is deprecated). The [man page](https://man7.org/linux/man-pages/man8/pam_faillock.8.html) for `pam_faillock` describes how it is to be configured, including a config file that lives by default at `/etc/security/faillock.conf`.

Users of other Linux distributions may not be using `pam_faillock.so`, but they are almost certainly using PAM. Consult the `/etc/pam.d` directory (or `/etc/pam.conf` file) to determine what modules are in effect for the service you're investigating, and then consult their man pages to determine how to configure them.