Add the following appended to the pam_tally.so:
onerr=fail deny=5 unlock_time=1800
Relevant entries in bold in /etc/pam.d/system-auth:
auth required /lib/security/$ISA/pam_env.so auth required /lib/security/$ISA/pam_tally.so onerr=fail deny=5 unlock_time=1800 auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account required /lib/security/$ISA/pam_permit.so account required /lib/security/$ISA/pam_tally.so