faillock.conf - Linux
Overview
faillock.conf is a configuration file for the faillock utility, responsible for enforcing account lockout policies in Linux systems. It provides numerous options for customizing faillock’s behavior, such as setting lockout duration, failed login attempts threshold, and various exception handling parameters.
Syntax
faillog.conf [options]
Options/Flags
-a, –allow-exceptions
Enable email-based exception handling.
-d, –default-lockout-duration SEC
Set the default lockout duration in seconds. Default: 600
-m, –mail-from EMAIL
Specify the email address used to send lockout notifications.
-p, –paranoid-detection
Enable advanced analysis techniques to detect and mitigate brute-force attacks.
-s, –send-unlock-notifications
Send email notifications when accounts are unlocked.
-t, –thresholds ATTEMPTS:PERIOD
Set failed login attempt thresholds within a specified time period. Format: ATTEMPTS:PERIOD (e.g., 3:10).
Examples
Enable exception handling with email notifications:
faillock.conf -a -m sender@example.com
Set a 10-minute lockout duration:
faillock.conf -d 600
Implement advanced brute-force attack detection:
faillock.conf -p
Common Issues
- Locked out of account: Verify if faillock.conf is enabled and check the duration of the lockout period. Consider using exception handling to regain access.
- Faillock is not enforced: Ensure faillock is enabled in
/etc/pam.d/
configuration files.
Integration
- Use with fail2ban: Integrate with fail2ban for enhanced brute-force attack protection.
- Scripts: Create custom scripts to automate faillock-related tasks, such as sending alerts or managing exceptions.
Related Commands
- faillock: Enforces account lockout policies.
- fail2ban: Monitors system logs and bans IP addresses exhibiting malicious activity.