Setting a lock out policy in CentOS or Fedora is very easy.
auth required pam_tally.so onerr=fail no_magic_root
account required pam_tally.so deny=3 unlock_time=3600 no_magic_root reset
onerr=fail if there is a problem opening the file for some reason fail login
no_magic_root this means if the module is called with a uid=0 then the counter is incremented, this is for launching services
deny=3 lockout will occur if the user exceeds 3 logins
reset means if the sign in correctly then the account will be reset
unlock_time=3600 number of seconds before unlock