Log-in attempts on the system by ftp from denied terminal causes pam_tally/pam_tally2 count keep increase.
OS : RHEL
PIM : 12.5 and higher
The PIM returns “deny” from PAM layer module.
“ftp” connection does not call session authorization functions in PAM.
But ftp connection calls account management function and PIM returns deny from account management.
To preventing pam_tally/pam_tally2 count increment, you add “account optional pam_tally.so/pam_tally2.so” in password-auth and system-auth file.
In this case, the failed counter is reset by a proper combination of ID/password even if the access is denied by a terminal rule.