faillock

List login failures of the current user

$ faillock

$ faillock --reset

$ sudo faillock

$ sudo faillock --user [user]

$ sudo faillock --user [user] --reset

faillock [options]

--user username
    Specifies the username to check or modify. If not given, applies to the current user.

--group groupname
    Specifies the group to check or modify.

--reset
    Resets the failure count for the specified user or group.

--age age
    Shows records no older than age seconds.

--silent
    Suppresses error messages. Useful for scripting.

--verbose
    Enables verbose output.

--help
    Displays help message.

--version
    Displays version information.

faillock is a command-line utility in Linux systems responsible for recording invalid login attempts and locking user accounts or limiting access after a certain number of failed attempts. It's commonly used in conjunction with PAM (Pluggable Authentication Modules) to enhance system security by preventing brute-force attacks. When a user enters an incorrect password multiple times, faillock can be configured to lock the account, preventing further login attempts for a specified duration.
This helps to mitigate the risk of unauthorized access. The configuration is primarily managed through the /etc/security/faillock.conf file, and the command provides options to view, reset, and manipulate the lock settings. faillock stores the failed login information per user in the /var/run/faillock/ directory. faillock is typically invoked by the PAM module pam_faillock.so.

faillock relies on proper PAM configuration to function correctly. Incorrect PAM settings can lead to unexpected behavior, including unintentionally locking accounts or failing to lock them when they should be. Ensure that the pam_faillock.so module is properly configured in the relevant PAM configuration files (e.g., /etc/pam.d/login, /etc/pam.d/sshd).

To enable faillock, you must correctly configure the pam_faillock.so module in your PAM configuration files. For example, to lock accounts after too many failed login attempts via SSH, you would add lines similar to the following to /etc/pam.d/sshd:

auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600
auth [default=die] pam_unix.so try_first_pass session
auth required pam_faillock.so authfail audit deny=3 unlock_time=600

Explanation:
* `preauth`: Executed before any other authentication modules.
* `authfail`: Executed if the authentication fails
* `deny=3`: Locks the account after 3 failed attempts.
* `unlock_time=600`: Unlocks the account after 600 seconds (10 minutes).
* `audit`: Logs the failed attempts.
* `silent`: Suppresses error messages during preauth phase.

pam_faillock(8), pam(8)