The failog command formats and displays the contents of the failure log (/var/log/faillog) and maintains failure counts and limits. The faillog functionality has to be enabled by adding the pam_tally.so module to the respective file in /etc/pam.d/. Below are the steps to setup the faillog utility to track failed login attempts.
1. Edit the /etc/pam.d/system-auth file and add the following lines:
# vi /etc/pam.d/system-auth auth required pam_tally.so no_magic_root account required pam_tally.so deny=2 no_magic_root
2. Test the configuration by attempting to login as a normal user, but using a wrong password. Verify the failed count increments by running the command:
# faillog -u [username]
# faillog Login Failures Maximum Latest On geek 1 2 05/24/17 15:39:35 +0200 /dev/tty2
The faillog command prints out only users with no successful login since the last failure. To print out a user who has had a successful login since his last failure, you must explicitly request the user with the -u option.
3. The failed login is recorded in /var/log/faillog in some specific binary format by default, and the utility faillog only can parse /var/log/faillog to get the failed logins. We don’t have any option to make faillog to read logs in other places.
4. To grant access again to a user who had more failures than the limit, enter:
# faillog -r [user]
You can also use pam_tally commands to do the same – to display the number of failed attempts:
# pam_tally --user [username]
And to reset the count:
# pam_tally --user [username] --reset[=n]