HowTo: Configure Linux To Track and Log Failed Login Attempt Records

Under Linux operating system you can use the faillog command to display faillog records or to set login failure limits. faillog command displays the contents of the failure log from /var/log/faillog database file. It also can be used for maintains failure counters and limits. If you run faillog command without arguments, it will display only list of user faillog records who have ever had a login failure.

PAM Settings

I found that under RHEL / CentOS Linux 5.x, you need to modify /etc/pam.d/system-auth file. You need to configure a PAM module Otherwise faillog command will never display failed login attempts.

PAM Configuration To Recored Failed Login Attempts module maintains a count of attempted accesses, can reset count on success, can deny access if too many attempts fail. Edit /etc/pam.d/system-auth file, enter:
# vi /etc/pam.d/system-auth
Modify as follows:
auth required no_magic_root
account required deny=3 no_magic_root lock_time=180


  • deny=3 : Deny access if tally for this user exceeds 3 times.
  • lock_time=180 : Always deny for 180 seconds after failed attempt. There is also unlock_time=n option. It allow access after n seconds after failed attempt. If this option is used the user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts. Otherwise the account is locked until the lock is removed by a manual intervention of the system administrator.
  • magic_root : If the module is invoked by a user with uid=0 the counter is not incremented. The sys-admin should use this for user launched services, like su, otherwise this argument should be omitted.
  • no_magic_root : Avoid root account locking, if the module is invoked by a user with uid=0

Save and close the file.

How Do I Display All Failed Login Attempts For a User Called vivek?

Type the command as follows:
# faillog -u vivek

Login       Failures Maximum Latest                   On
vivek           3        0   12/19/07 14:12:53 -0600  64.11.xx.yy

Taks: Show Faillog Records For All Users

Type the following command with the -a option:
# faillog -a

Task: Lock Account

To lock user account to 180 seconds after failed login, enter:
# faillog -l 180 -u vivek
# faillog -l 180

Task: Set Maximum Number of Login Failures

The -m option is allows you to set maximum number of login failures after the account is disabled to specific number called MAX. Selecting MAX value of 0 has the effect of not placing a limit on the number of failed logins. The maximum failure count should always be 0 for root to prevent a denial of services attack against the system:
# faillog -M MAX -u username
# faillog -M 10 -u vivek

How do I Reset The Counters Of Login Failures?

The -r option can reset the counters of login failures or one record if used with the -u USERNAME option:
# faillog -r
To reset counter for user vivek, enter:
# faillog -r -u vivek
On large Linux login server, such as University or government research facility, one might find it useful to clear all counts every midnight or week from a cron job.
# crontab -e
Reset failed login recover every week:
@weekly /usr/bin/faillog -r
Save and close the file.

Recommended readings:

=> Read the pam_tally, faillog and pam man pages:
$ man pam_tally
$ man tally
$ man faillog

See also: The Linux-PAM System Administrators Guide

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 24 comments so far... add one
CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
24 comments… add one
  • Atanu Banerjee Jan 1, 2008 @ 11:01

    How to enable the same setting in SuSE Linux environment?

  • Vasudeva Mar 3, 2008 @ 20:59

    lock_time & unlock_time options are not working on redhat 4 (2.6.9-55.0.2.ELsmp). I am getting error message “pam_tally: unknown option; unlock_time=100” and pam_tally: unknown option; lock_time=120. We have pam version : pam-0.77-66.21. Do this version support lock_time & unlock_time options ?

  • vijay mane Mar 4, 2008 @ 7:58

    one of the best sites where person like mw can get lot of knowledge

    • kadir Jan 13, 2013 @ 15:54


  • Vasudeva Apr 11, 2008 @ 20:27

    Can we exclude PAM modules for certain groups? This is for some particular application group need to disable PAM modules .

  • mjp Nov 10, 2008 @ 23:05

    At least for CentOS 5 the only valid options for the account phase are magic_root and no_reset, all other should be in the auth phase

  • lalit Dec 21, 2009 @ 5:51

    Hi, i tried this to add account locked out policy in rhel 5.0 but this is not working

    i go to /etc/pam.d/system-auth file and add both lines in it

    auth required no_magic_root
    account required deny=3 no_magic_root lock_time=180

    after that i checked faillog -u lalit (username)
    it shows faillog but when tried to check it is lock the account or not it is not working

    if u have anyother way then please help me ..

  • barney griggs Jun 9, 2010 @ 22:13

    Anyone have any Idea why Centos 5.2 would take every login as a failure when setting up for lockout after X failed attempts?

  • J.C. Denton Mar 21, 2011 @ 11:39

    * barney griggs, to lock a user out I’d rather use “faillog”: /usr/bin/faillog -u ACCOUNT -m 10 -l 60

    * lalit, you should try remove items from the line: account required deny=3 no_magic_root lock_time=180

  • dinesh kumart Apr 16, 2011 @ 3:14

    very good

  • krishna Jun 13, 2011 @ 7:36

    good ……………. 🙂

  • Arpit Tolani Oct 13, 2011 @ 9:00

    This contains wrong information, there cannot be deny in Account section of

  • nigoor Apr 4, 2012 @ 10:34

    all of the above is not working

    • Mike M Nov 13, 2015 @ 12:29

      Do you have faillog in your system? I did not. (I dont know if it should come pre-installed but for me it was not )

  • Stephen May 21, 2012 @ 13:51

    The following worked for me,

    if you’re using pam_tally use
    pam_tally –reset –user

    If you’re using pam_tally2, which is typical in rhel6 use
    pam_tally2 -r -u

  • kadir Jan 13, 2013 @ 15:57

    $ vi /etc/pam.d/system-auth
    My file doesnt contain mentined lines;

    # This file is auto-generated.
    # User changes will be destroyed the next time authconfig is run.
    auth required
    auth sufficient try_first_pass nullok
    #auth sufficient try_first_pass
    auth required

    account required

    password required try_first_pass retry=3
    #password optional try_first_pass
    password sufficient try_first_pass use_authtok nullok md5
    password required

    session optional revoke
    session required
    session [success=1 default=ignore] service in crond quiet use_uid
    session required

  • Hari Avalakonda Jul 25, 2013 @ 14:56

    Add below two lines to system-auth file

    auth required per_user deny=5 no_magic_root unlock_time=180
    password required try_first_pass retry=5 no_magic_root lock_time=180

    The above lines used for account lock for 180 Sec and unlock afgter 180 Sec.

    Hari Mani Kandan.A

  • J.C. Denton Nov 16, 2013 @ 11:44

    Maybe you like this:

    denton@tron:~$ ls -slapht /etc/cron.daily/faillog
    4,0K -rwxr-xr-x 1 root root 963 14. Nov 2010 /etc/cron.daily/faillog
    denton@tron:~$ cat /etc/cron.daily/faillog
    +++ +++ +++
    # TRON-DELTA.ORG / faillog (ANACRON) / v1.3.02
    sAccAll=$(cat /etc/passwd | cut -d”:” -f1)
    sAccRem=’root daemon bin sys sync games man lp mail news uucp proxy www-data backup list irc gnats nobody libuuid dhcp syslog klog hplip avahi-autoipd gdm messagebus avahi polkituser haldaemon ntp statd clamav mysql saned debian-tor privoxy festival’
    sCounter=$(wc -l “/etc/passwd” | cut -d ‘ ‘ -f1)
    while [ $iCounter -le $sCounter ]
    slAccAll=$(echo $sAccAll | cut -d ‘ ‘ -f $iCounter)
    slAccRem=$(echo $sAccRem | cut -d ‘ ‘ -f $iCounter)
    if [ “$slAccAll” != “$slAccRem” ] && [ “$slAccAll” != “” ] && [ “$slAccRem” = “” ]
    /usr/bin/faillog -u $slAccAll -m 10 -l 60
    iCounter=`expr $iCounter + 1`
    echo “User accounts successfully setup with faillog: $(date)” >> /var/log/cron/security.log
    +++ +++ +++
    For explaination: That script will execute on a daily basis and set all self-defined accounts with -m 10 -l 60. I wrote it to make sure all accounts of “ordinary” users are configured correctly at all times in way so that no one has to worry about it anymore. There is room for optimization however. 🙂

  • Hanuman Chowdary Oct 26, 2015 @ 13:04

    Thanks one and all, for most valid information.

  • john Nov 9, 2015 @ 12:38

    Write a shell script that checks whether the username and a password entered by a user are correct. The script should only allow a maximum of 3 attempts before locking a user out of the system

    please some one help

  • Prabhu Thiyagarajan Feb 24, 2016 @ 5:29

    Thanks for the wonderful doc.
    Typo: PAM Configuration To “Recored” Failed Login Attempts

  • Prabhu Thiyagarajan Feb 24, 2016 @ 5:32

    “Taks”: Show Faillog Records For All Users

  • Garima Jain Jun 1, 2016 @ 5:36

    How to do the same on RHEL5. I don’t see the locking happening on RHEL5 after making the above changes.

  • Regu Oct 3, 2016 @ 10:21

    Is it possible in RHEL 6 and above…?

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum