https://www.linuxtechi.com/lock-user-account-incorrect-login-attempts-linux/
The yubikey section must come first, if included, followed by this.
These edits are made in /etc/pam.d/common-auth
# here are the per-package modules (the "Primary" block) auth required pam_tally2.so onerr=fail deny=5 unlock_time=60 audit auth [success=1 default=ignore] pam_unix.so nullok_secure
The pam tally count can be checked with
sudo pam_tally2 --user=<user>
and reest with
sudo pam_tally2 --user=<user> --reset
The counter needs to be reset or you’ll always exceed the counter limit and get locked.
The counter can be automatically reset on success by adding the following line to /etc/pam.d/common-account at the beginning
account required pam_tally2.so
https://www.nextstep4it.com/pam_tally2-command-lock-unlock-ssh-failed-logins/