Linux User password policy

1. You can lock user account :
 #usermod -L abcuser
OR
# passwd -l abcuser

for unlock
 #usermod -U abcuser
OR
# passwd -u abcuser


2. Set retry limit for account lockout
#vim /etc/pam.d/system-auth

auth        required      /lib/security/$ISA/pam_tally.so no_magic_root

account     required      /lib/security/$ISA/pam_tally.so deny=3 no_magic_root lock_time=180

To display all failed login attempts, type:
faillog -a

To display failed logins for a particular user, type:
faillog -u username

To unlock a username after their maximum number of login attempts, type:
faillog -r -u username

3. Restrict root logins to system console
Comment out following line in file /etc/ssh/sshd_config and restart sshd service
PermitRootLogin yes