This example is from the system-auth file in /etc/pam.d on a RedHat Enterprise Linux machine:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
# Enables failed login counts (section 1 of 2)
auth required /lib/security/$ISA/pam_tally.so
onerr=fail no_magic_root
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
# Enables failed login counts (section 2 of 2)
account required /lib/security/$ISA/pam_tally.so
deny=5 reset no_magic_root
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow nis
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
Note in the example the module is referenced twice. Once in the auth part, and again in the account part. If you care about the details, read up on PAM. Otherwise just note it will lock out any user except root after 5 bad password attempts forever. If a user successfully logs in the counter is reset, e.g. 4 bad attempts and the 5th is successful, the tally counter is reset to 0. To view and unlock accounts, use the command pam_tally. By itself, pam_tally will show a username and the number of failed password attempts.
To unlock an account, do:
pam_tally –user username –reset