• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

faillog Command Examples in Linux

by admin

One of the signs that an attacker might be attempting to break into a system will be failed login attempts. The /var/log/faillog file keeps track of failed authentication attempts. The command faillog reads this logfile /var/log/faillog, and shows accounts that have not had a successful login since the last failure.

The “faillog -a” command will list all failed login attempts, including those that have since had a successful authentication.

faillog Command Examples

1. To display the faillog records for all the users:

# faillog -a

(If it shows no “/var/log/faillog” file then create it)

2. To lock a account for specified time in seconds after login failure:

# faillog -l 60 mike
# faillog -ul 60 mike

3. To Set the maximum number of login failures:

# faillog -m 10 mike
# faillog --maximum 10 mike 

4. To Reset the counters of login failures:

# faillog -r mike
# faillog -ur mike
# faillog --reset mike 

5. To Display faillog records more recent than DAYS:

# faillog -t 5 mike
# faillog --time DAYS mike 

6. To display faillog record or maintains failure counters and limits:

# faillog -u mike
# faillog --user LOGIN|RANGE mike 

7. To get the help for faillog:

# faillog -h
# faillog --help

The /var/log/faillog Log

This log file contains failed user logins. This can be very important when tracking attempts to crack into the system. Usually, a normal user might occasionally have one or two failed login attempts. Numerous failed login attempts, or even frequent failed login attempts that occur at diverse times, can be an indicator of someone trying to compromise access to the system. It is also worth noting the times of failed login attempts. If an employee normally works from 8:00 a.m. to 5:00 p.m., and there are failed login attempts at 11:00 p.m., that may be a warning sign.

How to use faillog to track failed login attempts?

1. Open the /etc/pam.d/system-auth file for editing.

Add the following lines:

 auth      required     pam_tally.so no_magic_root
 account   required     pam_tally.so deny=2 no_magic_root

2. Save the file and exit.

3. Test the configuration by attempting to login as a normal user, but using a wrong password.

4. Verify the failed count increments by running the command:

# faillog -u [username]

The failed login is recorded in /var/log/faillog in some specific binary format by default, and the utility faillog only can parse /var/log/faillog to get the failed logins. We don’t have any option to make faillog to read logs in other places.

Filed Under: Linux

Some more articles you might also be interested in …

  1. a2dissite Command Examples in Linux
  2. Linux: No space left on device while df command shows a lot of free space
  3. pkcon Command Examples in Linux
  4. DNF Update Fails With Error “GPG check FAILED” – CentOS/RHEL 8
  5. apt-get Command Examples in Linux
  6. Linux / UNIX : Examples of find command to find files with specific sets of permissions
  7. How to Manage Oracle database Audit File Directory Growth with cron (ASM Instances Only)
  8. How to copy directories recursively using rsync while excluding specific files
  9. The System Continuously Displayed the Error Message from the “avahi-demon” in /var/log/messages
  10. prt-get Command Examples in Linux

You May Also Like

Primary Sidebar

Recent Posts

  • pw-cat Command Examples in Linux
  • pvs: command not found
  • pulseaudio: command not found
  • pulseaudio Command Examples in Linux

© 2023 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright