LinuxCommandLibrary

faillock

Record and deny login attempts after failures

TLDR

List login failures of the current user

$ faillock
copy

Reset the failure records of the current user
$ faillock --reset
copy

List login failures of all users
$ sudo faillock
copy

List login failures of the specified user
$ sudo faillock --user [user]
copy

Reset the failure records of the specified user
$ sudo faillock --user [user] --reset
copy

SYNOPSIS

faillock [options] [username]
This concise syntax shows the command name faillock, followed by optional command-line options that modify its behavior, and an optional username to specify which user's records to operate on. If no username is provided, it typically defaults to operating on the current user or displaying information for all users when combined with the -a option.

PARAMETERS

-u USER, --user USER
    Specifies the user whose faillock records are to be displayed or modified.

-r
    Resets (clears) the failure count and unlock status for the specified user or all users if combined with -a.

-a
    Applies the operation to all users, often used with -r to clear all lockouts.

--dir DIRECTORY
    Specifies an alternative directory where faillock files are stored, overriding the default configured by PAM.

-V, --version
    Displays version information and exits.

-h, --help
    Displays a help message and exits.

DESCRIPTION

faillock is a command-line utility used to display and modify the login failure records for users on a Linux system. It works in conjunction with the pam_faillock.so PAM module, which is responsible for tracking consecutive failed authentication attempts and temporarily locking user accounts to prevent brute-force attacks.
The tool allows administrators to view the current number of failed attempts for a specific user or all users. More importantly, it provides the capability to reset these failure counts, which is crucial for unlocking accounts that have been temporarily locked due to exceeding the configured maximum number of failed login attempts. This command is an essential component for enforcing robust account security policies in Linux environments, ensuring system integrity against unauthorized access attempts.

CAVEATS

Requires root privileges to view or modify faillock records for users other than the current one. The effectiveness of faillock heavily relies on the proper configuration of the pam_faillock.so module within PAM, which manages the actual lockout policies. Incorrect usage or configuration can lead to unintended account lockouts or reduced security.

INTEGRATION WITH PAM

The core functionality of account lockout based on failed logins is provided by the pam_faillock.so module. This PAM module writes login failure information to a specific directory (commonly /var/run/faillock or /var/log/faillock). The faillock command then reads from and writes to these same files to display counts or reset them, acting as the administrative interface for the PAM module's tracking mechanism.

TEMPORARY VS. PERSISTENT STORAGE

By default, pam_faillock.so often stores failure records in a temporary filesystem location like /var/run/faillock, meaning records are lost on reboot. For persistent lockout records across reboots, administrators must configure pam_faillock.so to use a persistent directory (e.g., /var/log/faillock), which faillock can then also interact with via the --dir option.

HISTORY

The faillock command, typically part of the shadow-utils package, emerged as a modern solution for managing login failures in Linux, particularly with the advent and widespread adoption of Pluggable Authentication Modules (PAM). It provides a more robust and granular mechanism for defending against brute-force attacks compared to older methods, evolving to support sophisticated account lockout policies and integration with system-wide authentication frameworks.

SEE ALSO

pam_faillock(8), pam(8), login(1), passwd(1)

Copied to clipboard