One of the signs that an attacker might be attempting to break into a system will be failed login attempts. The /var/log/faillog file keeps track of failed authentication attempts. The command faillog reads this logfile /var/log/faillog, and shows accounts that have not had a successful login since the last failure.
The “faillog -a” command will list all failed login attempts, including those that have since had a successful authentication.
faillog Command Examples
1. To display the faillog records for all the users:
# faillog -a
(If it shows no “/var/log/faillog” file then create it)
2. To lock a account for specified time in seconds after login failure:
# faillog -l 60 mike # faillog -ul 60 mike
3. To Set the maximum number of login failures:
# faillog -m 10 mike # faillog --maximum 10 mike
4. To Reset the counters of login failures:
# faillog -r mike # faillog -ur mike # faillog --reset mike
5. To Display faillog records more recent than DAYS:
# faillog -t 5 mike # faillog --time DAYS mike
6. To display faillog record or maintains failure counters and limits:
# faillog -u mike # faillog --user LOGIN|RANGE mike
7. To get the help for faillog:
# faillog -h # faillog --help
The /var/log/faillog Log
This log file contains failed user logins. This can be very important when tracking attempts to crack into the system. Usually, a normal user might occasionally have one or two failed login attempts. Numerous failed login attempts, or even frequent failed login attempts that occur at diverse times, can be an indicator of someone trying to compromise access to the system. It is also worth noting the times of failed login attempts. If an employee normally works from 8:00 a.m. to 5:00 p.m., and there are failed login attempts at 11:00 p.m., that may be a warning sign.
How to use faillog to track failed login attempts?
1. Open the /etc/pam.d/system-auth file for editing.
Add the following lines:
auth required pam_tally.so no_magic_root account required pam_tally.so deny=2 no_magic_root
2. Save the file and exit.
3. Test the configuration by attempting to login as a normal user, but using a wrong password.
4. Verify the failed count increments by running the command:
# faillog -u [username]
The failed login is recorded in /var/log/faillog in some specific binary format by default, and the utility faillog only can parse /var/log/faillog to get the failed logins. We don’t have any option to make faillog to read logs in other places.