faillog failure

Posted on 2000-04-05
Medium Priority
Last Modified: 2013-12-16
What is required to make faillog track login failures?

I've tried:
1. In '/etc/login.defs', setting 'FAILLOG_ENAB yes'.
2. creating '/var/log/faillog' and setting a 600 permission on the file.
3. Anything else?

I've tried RedHat, Slackware, Corel, WinLinux 2000.
Question by:mmcmilla
  • 2
LVL 40

Expert Comment

ID: 2688326
I can't say for the others, but RedHat 6.1, "out-of-the-box", logs login failures via syslog to /var/log/messages. I don't see anything in the man page for login that suggests that the login mechanism uses /etc/login.defs or /var/log/faillog, but it does specifically state that login failures will be logged by syslog.

Author Comment

ID: 2689502
Logins will be logged by /var/log/faillog, true.  But, I'm trying to limit the number of login failures (say, 5 password retries).  First of all, if /var/log/faillog doesn't exist, /usr/bin/faillog will not create the log file.  I create the /var/log/faillog with 0 bytes, run faillog -u <username> -m <max number failures>, faillog will write to /var/log/faillog with the settings I want.  Run faillog -u <username> and it will return the stats on that user (with 0 failures, of course).  Logout, and try to login as that user, but purposefully fail the login a couple of times.  Then, login as root, run faillog -u <username> and it still shows zero failures.  
I have not clue what's wrong.  I have read the man pages for faillog, but nothing seems to work.
LVL 40

Expert Comment

ID: 2705215
When all else fails, "use the source Luke, use the source"...

I went into the source rpm that provides faillog (shadow-utils-19990827-2.src.rpm) and found that you need to enable use of the faillog facility in /etc/login.defs, like:

# Enable logging and display of /var/log/faillog login failure info.
FAILLOG_ENAB            yes

Interestingly, there are two section 5 manpages in the source that aren't on my system (login.defs.5 & login.access.5), well they weren't there before I looked at the sources... They are now.

Accepted Solution

cowerict earned 400 total points
ID: 2724591
I figured out that the you have to use the -p flag. E.g.:
      faillog -p -u <username>

but using
      faillog -p -u <username> -t 1
also would show faillogs of more resent fails.

Source code provides the solution.

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Virtualization software lets you run different versions of Windows, Ubuntu Linux and other versions of Linux all at the same time, rather than running each one directly from your computer's hard drive.
Cron is one of the most popular and basic utilities found on Unix systems. Combined with other tools, cron makes it exceptionally easy to automate a broad range of tasks on your server.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question