LinuxCommandLibrary

faillog

View and manage user login failure records

SYNOPSIS

faillog [options] [username]

PARAMETERS

-a, --all
    Display faillog records for all users.


-u LOGIN, --user LOGIN
    Display or modify record for specific LOGIN user.


-t DAYS, --time DAYS
    Display users with failures in last DAYS; sorts by recency.


-r, --reset
    Reset all failure counters in faillog.


-l SECS, --lock-secs SECS
    Set account lock duration to SECS seconds after failures.


-m MAX, --maximum MAX
    Set maximum allowed failures to MAX before lockout.


-h, --help
    Display help message and exit.


-V, --version
    Display version information and exit.


DESCRIPTION

faillog is a Linux utility from the shadow-utils package that manages and displays records of failed login attempts stored in /var/log/faillog. This binary file contains per-user (UID-indexed) entries tracking the number of failures (fail_cnt), timestamps of first and last attempts, and related data like TTY and remote host.

Primarily used by administrators to monitor potential brute-force attacks, it supports viewing records for specific users, all users, or recent failures sorted by time. It also allows resetting failure counters to unlock accounts and setting global or per-user policies for maximum allowed failures (-m) and lockout duration (-l).

Records are typically updated by PAM modules such as pam_faillock. The command helps enforce login security without relying solely on /var/log/auth.log, providing compact UID-based lookup for quick audits.

CAVEATS

faillog uses a fixed-size file (/var/log/faillog) indexed by UID, limiting reliability for UIDs beyond file capacity (~millions). Does not create file if missing; run as root for modifications. Complements but does not replace syslog auditing.

LOG FILE

/var/log/faillog: Binary database of UID-keyed records (fail_cnt, fail_time, etc.).

RECORD STRUCTURE

Includes failure count, timestamps, max allowed fails, padding for alignment.

HISTORY

Developed as part of the Shadow Password Suite by Julianne Frances Haugh in the 1990s for Linux. Integrated into shadow-utils; evolved with PAM support for modern auth handling.

SEE ALSO

lastlog(8), lastb(8), pam_faillock(8), shadow(5)

Copied to clipboard