faillog
login failure tracking and management
TLDR
Display failure records
SYNOPSIS
faillog [options]
DESCRIPTION
faillog displays and manages login failure records from /var/log/faillog. It tracks failed login attempts and can enforce account lockouts after reaching a threshold.
Administrators use faillog to monitor suspicious login activity, set failure limits before account lockout, and reset counters after legitimate users are locked out. The database persists across reboots.
faillog integrates with PAM for automated account locking based on failed authentication attempts.
PARAMETERS
-a, --all
Display all users with failures.-u USER, --user USER
Specify user to query or modify.-m MAX, --maximum MAX
Set maximum failures before lockout.-r, --reset
Reset failure count.-l SECONDS, --lock-time SECONDS
Set lockout duration.-t DAYS, --time DAYS
Show failures within N days.--help
Display help information.
CONFIGURATION
/var/log/faillog
Binary database of login failure records, tracking failed attempts and lockout states.
CAVEATS
Requires root for modifications. Depends on PAM configuration. Not all systems use faillog database. May be superseded by pam_tally2.
HISTORY
faillog is part of the shadow-utils package, providing login failure tracking since early Linux distributions. It predates more modern PAM-based accounting but remains available for compatibility.
SEE ALSO
lastlog(1), pam_tally2(8), login(1)
