faillock.conf - Linux


faillock.conf is a configuration file for the faillock utility, responsible for enforcing account lockout policies in Linux systems. It provides numerous options for customizing faillock’s behavior, such as setting lockout duration, failed login attempts threshold, and various exception handling parameters.


faillog.conf [options]


-a, –allow-exceptions

Enable email-based exception handling.

-d, –default-lockout-duration SEC

Set the default lockout duration in seconds. Default: 600

-m, –mail-from EMAIL

Specify the email address used to send lockout notifications.

-p, –paranoid-detection

Enable advanced analysis techniques to detect and mitigate brute-force attacks.

-s, –send-unlock-notifications

Send email notifications when accounts are unlocked.

-t, –thresholds ATTEMPTS:PERIOD

Set failed login attempt thresholds within a specified time period. Format: ATTEMPTS:PERIOD (e.g., 3:10).


Enable exception handling with email notifications:

faillock.conf -a -m

Set a 10-minute lockout duration:

faillock.conf -d 600

Implement advanced brute-force attack detection:

faillock.conf -p

Common Issues

  • Locked out of account: Verify if faillock.conf is enabled and check the duration of the lockout period. Consider using exception handling to regain access.
  • Faillock is not enforced: Ensure faillock is enabled in /etc/pam.d/ configuration files.


  • Use with fail2ban: Integrate with fail2ban for enhanced brute-force attack protection.
  • Scripts: Create custom scripts to automate faillock-related tasks, such as sending alerts or managing exceptions.

Related Commands

  • faillock: Enforces account lockout policies.
  • fail2ban: Monitors system logs and bans IP addresses exhibiting malicious activity.