faillock - Linux

Overview

faillock is a command-line utility used to monitor and respond to failed login attempts by locking a user’s account after a specified number of consecutive failures. This is commonly used to protect systems against brute force attacks where attackers attempt to guess user credentials.

Syntax

faillock [options] [-u <users>] [-t <timespan>] [-r <retries>] [-l]

Options/Flags

| Option | Description | Default |
|—|—|—|
| -u | Specify a list of users to monitor. | All users |
| -t | Duration within which multiple failed attempts are counted. | 1 day |
| -r | Maximum failed login attempts allowed within the specified timespan. | 3 |
| -l | List all locked accounts. | |

Examples

• Monitor all users for failed logins:

faillock

• Monitor specific users for failed logins:

faillock -u alice bob

• Lock users after 5 failed attempts in the last 2 days:

faillock -t 2days -r 5

• List all locked accounts:

faillock -l

Common Issues

• High Rate of False Positives: If the retry limit is set too low or the timespan is too large, legitimate users may get locked out.
• Missed Attacks: If the attack occurs within a short period, the failed attempts may not accumulate within the specified timespan and will not trigger a lock.

Integration

• Use with Fail2ban: faillock can be integrated with Fail2ban, an intrusion detection and prevention tool, to automatically ban IP addresses of attackers.
• Scripted Monitoring: faillock‘s output can be parsed in scripts to create alerts or take further action (e.g., notify administrators).

Related Commands

• fail2ban – A more comprehensive tool for intrusion prevention that includes features like IP banning and jailing.
• pam_faillock – A PAM module that provides similar functionality to faillock at the authentication stage.