faillock - Linux


faillock is a command-line utility used to monitor and respond to failed login attempts by locking a user’s account after a specified number of consecutive failures. This is commonly used to protect systems against brute force attacks where attackers attempt to guess user credentials.


faillock [options] [-u <users>] [-t <timespan>] [-r <retries>] [-l]


| Option | Description | Default |
| -u | Specify a list of users to monitor. | All users |
| -t | Duration within which multiple failed attempts are counted. | 1 day |
| -r | Maximum failed login attempts allowed within the specified timespan. | 3 |
| -l | List all locked accounts. | |


  • Monitor all users for failed logins:
  • Monitor specific users for failed logins:
faillock -u alice bob
  • Lock users after 5 failed attempts in the last 2 days:
faillock -t 2days -r 5
  • List all locked accounts:
faillock -l

Common Issues

  • High Rate of False Positives: If the retry limit is set too low or the timespan is too large, legitimate users may get locked out.
  • Missed Attacks: If the attack occurs within a short period, the failed attempts may not accumulate within the specified timespan and will not trigger a lock.


  • Use with Fail2ban: faillock can be integrated with Fail2ban, an intrusion detection and prevention tool, to automatically ban IP addresses of attackers.
  • Scripted Monitoring: faillock‘s output can be parsed in scripts to create alerts or take further action (e.g., notify administrators).

Related Commands

  • fail2ban – A more comprehensive tool for intrusion prevention that includes features like IP banning and jailing.
  • pam_faillock – A PAM module that provides similar functionality to faillock at the authentication stage.