Which module is typically used for account lockout in Linux/UNIX environments?

Tracking failed login attempts to enforce a lockout is handled by a PAM module designed for tallying authentication failures. This module records each failed attempt for a user and, once a configured threshold is reached, can deny further login attempts for a period or until an administrator unlocks the account. It often works in concert with the standard authentication module (which actually checks credentials), but the lockout behavior itself comes from the tallying module. The other options serve different purposes: one verifies passwords but doesn’t impose lockouts, another imposes general resource limits like max sessions, and the last restricts root logins to secure terminals. In modern setups you might see pam_faillock or pam_tally2, but the concept remains the same—a PAM component that counts failures and enforces a lockout.