linux - faillog

Faillog on linux

To view faillog (which resides in /var/log) and is a binary

Run faillog –u username;


etst001 # faillog -u brinap
Username Failures Maximum Latest
brinap 0 0




MAN PAGE

faillog - display faillog records or set login failure limits

Synopsis faillog [options]

Description
faillog formats the contents of the failure log from /var/log/faillog database. It also can be used for maintains failure counters and limits. Run faillog without arguments display only list of user faillog records who have ever had a login failure.

Options
The options which apply to the faillog command are:
-a, --all
Display faillog records for all users.
-h, --help
Display help message and exit.
-l, --lock-time SEC
Lock account to SEC seconds after failed login.
-m, --maximum MAX
Set maximum number of login failures after the account is disabled to MAX. Selecting MAX value of 0 has the effect of not placing a limit on the number of failed logins. The maximum failure count should always be 0 for root to prevent a denial of services attack against the system.
-r, --reset
Reset the counters of login failures or one record if used with the -u LOGINoption. Write access to /var/log/faillog is required for this option.
-t, --time DAYS
Display faillog records more recent than DAYS. The -t flag overrides the use of -u.
-u, --user LOGIN
Display faillog record or maintains failure counters and limits (if used with -l, -m or -r options) only for user with LOGIN.
Caveats
faillog only prints out users with no successful login since the last failure. To print out a user who has had a successful login since their last failure, you must explicitly request the user with the -u flag, or print out all users with the -a flag.

Files
/var/log/faillog
Failure logging file.








PROBLEM: How do I deny login access/lock accounts for users who mis type their passwords more than a set number of times?

SOLUTION:
The faillog mechanism is designed to log login failures. By typing "faillog" at your shell prompt, you can obtain a list of users who have repeatedly tried to login and have failed.
The "faillog" is reset upon successful login - so once a user succeeds their failure count is set to 0.
You can limit the maximum number of login failures (system wide) by using the "faillog -m" option (specify the maximum number of failures allowed).
You can reset the fail count for a user (once a user has been "locked out" this is required to "unlock" him/her) using the "faillog -u username -r" command.

EXAMPLE:
Set the maximum number of login failures to 5:
At a terminal prompt, type faillog -m 5 and press ENTER.
Reset the login failures for the user "geeko":
At a terminal prompt, type faillog -u geeko -r and press ENTER.