faillock - Linux
Overview
faillock is a command-line utility used to monitor and respond to failed login attempts by locking a user’s account after a specified number of consecutive failures. This is commonly used to protect systems against brute force attacks where attackers attempt to guess user credentials.
Syntax
faillock [options] [-u <users>] [-t <timespan>] [-r <retries>] [-l]
Options/Flags
| Option | Description | Default |
|—|—|—|
| -u
| -t
| -r
| -l | List all locked accounts. | |
Examples
- Monitor all users for failed logins:
faillock
- Monitor specific users for failed logins:
faillock -u alice bob
- Lock users after 5 failed attempts in the last 2 days:
faillock -t 2days -r 5
- List all locked accounts:
faillock -l
Common Issues
- High Rate of False Positives: If the retry limit is set too low or the timespan is too large, legitimate users may get locked out.
- Missed Attacks: If the attack occurs within a short period, the failed attempts may not accumulate within the specified timespan and will not trigger a lock.
Integration
- Use with Fail2ban: faillock can be integrated with Fail2ban, an intrusion detection and prevention tool, to automatically ban IP addresses of attackers.
- Scripted Monitoring: faillock‘s output can be parsed in scripts to create alerts or take further action (e.g., notify administrators).
Related Commands
- fail2ban – A more comprehensive tool for intrusion prevention that includes features like IP banning and jailing.
- pam_faillock – A PAM module that provides similar functionality to faillock at the authentication stage.