How To Record / Log Failed Login Attempt In Linux

May 10, 2011 | By
| 4 Replies More

A system administrator needs to monitor any unusual activities on the system. An unauthorized user may try to access the system by trying out different passwords. A feature in Linux that can be used to monitor these failed login attempts is “faillog” utility. The “faillog” command displays all failed login attempts by a user. If there are too many unsuccessful attempts, then the account can be disabled using “faillog”. This can be used to lock down the account for a few seconds after a user fails to login.

Faillog command syntax

These failures are stored in a file named “faillog” present in /var/log directory. The “faillog” command uses this file (/var/log/faillog) for displaying the failed logins. The “faillog” command entered on its own prints out any unsuccessful attempts by a user:

[root@localhost ~]# faillog
Login Failures Maximum Latest On

student 1 0 06/28/12 15:27:27 +0530 tty1

After a failed login, the user can be locked for a specified time with -l option. To lock an account (say, student) for 1 minute (60 seconds), use the following:

[root@localhost ~]# faillog -l 60 -u student

[root@localhost ~]# faillog
Login Failures Maximum Latest On

student 2 0 06/28/12 15:28:32 +0530 tty1 [51s left]

As you can see, the remaining time since failed login is displayed in the last column. The -u option is used to specify a username (whose account needs to be locked). Further, a maximum limit on the number of login attempts can be set by -m option.

[root@localhost ~]# faillog -m 0 -u student

This command will disable the 'student' account after 3 unsuccessful logins.

pam_tally.so:

If you read carefully, “faillog” does not log the failures, it just displays them. The actual surveillance of such attempts is the responsibility of pam_tally.so module. Now, before going into the details of this module, let's have a quick overview of PAM.

Pluggable Authentication Modules (PAM):

As the name suggests, PAM performs all the authentication tasks in Linux. But these modules are 'pluggable' which means that it can be used with other applications. PAM is not a “program or utility” that provides authentication functions. It is a module which helps all the utilities that need authentication functions. For example, when we login to any terminal (the prompt that looks like: “localhost login: “) on Linux system, the utility that is running in background is 'login' utility. This utility uses PAM modules. Other utilities such as ssh(used for remote login), su(to switch users), at, cron (both used for scheduling tasks) etc. also use PAM modules for authentication.

So, let's return to our discussion about pam_tally.so module. This module counts the failed login attempts and stores them in /var/log/faillog file. If your system is not configured to use this module, “faillog” will not work. So, in order to configure the system to use this module, we need to edit /etc/pam.d/system-auth file. Add these 2 lines in the file:

auth required pam_tally.so
account required pam_tally.so

My /etc/pam.d/system-auth file looks like this (you can see these lines surrounded by comments, in bold and italics):

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

###---------Added by Raghu---------###
auth required pam_tally.so
###--------------------------------###

account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

###---------Added by Raghu---------###
account required pam_tally.so
###--------------------------------###

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

Filed Under : LINUX HOWTO, TROUBLESHOOTING

Tagged With :

Free Linux Ebook to Download

Comments (4)

Trackback URL | Comments RSS Feed

  1. anji says:

    Hi,

    I used faillog command. But it not showing failed login attempts. I given wrong passwords while logging and i checked with faillog command. Its not worked. Can i know why its not working?

  2. anji says:

    Hi,

    I tried by using faillog -a, but still for me its not working. see below output

    [root@localhost ~]# cat /etc/passwd | grep anji
    anji:x:500:500::/home/anji:/bin/bash

    For User "anji" i am trying

    login as: anji
    anji@192.168.186.128's password:
    Access denied
    anji@192.168.186.128's password:

    [root@localhost ~]# faillog -a
    [root@localhost ~]# faillog -u anji
    Login Failures Maximum Latest On
    anji 0 0

    Kindly check and advise

  3. NixSavy says:

    Can you check the size of files lastlog and faillog in /var/log

Leave a Reply

Commenting Policy:
Promotion of your products ? Comment gets deleted.
All comments are subject to moderation.