Header Ads Widget

[MAN] faillock

Content-type: text/html; charset=UTF-8 Man page of FAILLOCK.CONF

FAILLOCK.CONF

Section: Linux-PAM Manual (5)
Updated: 06/08/2020
Index Return to Main Contents
 

NAME

faillock.conf - pam_faillock configuration file  

DESCRIPTION

faillock.conf provides a way to configure the default settings for locking the user after multiple failed authentication attempts. This file is read by the pam_faillock module and is the preferred method over configuring pam_faillock directly.

The file has a very simple name = value format with possible comments starting with # character. The whitespace at the beginning of line, end of line, and around the = sign is ignored.  

OPTIONS

dir=/path/to/tally-directory

The directory where the user files with the failure records are kept. The default is /var/run/faillock.

audit

Will log the user name into the system log if the user is not found.

silent

Don't print informative messages to the user. Please note that when this option is not used there will be difference in the authentication behavior for users which exist on the system and non-existing users.

no_log_info

Don't log informative messages via syslog(3).

local_users_only

Only track failed user authentications attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users. The faillock(8) command will also no longer track user failed authentication attempts. Enabling this option will prevent a double-lockout scenario where a user is locked out locally and in the centralized mechanism.

deny=n

Deny access if the number of consecutive authentication failures for this user during the recent interval exceeds n. The default is 3.

fail_interval=n

The length of the interval during which the consecutive authentication failures must happen for the user account lock out is n seconds. The default is 900 (15 minutes).

unlock_time=n

The access will be re-enabled after n seconds after the lock out. The value 0 has the same meaning as value never - the access will not be re-enabled without resetting the faillock entries by the faillock(8) command. The default is 600 (10 minutes).

Note that the default directory that pam_faillock uses is usually cleared on system boot so the access will be also re-enabled after system reboot. If that is undesirable a different tally directory must be set with the dir option.

Also note that it is usually undesirable to permanently lock out users as they can become easily a target of denial of service attack unless the usernames are random and kept secret to potential attackers.

even_deny_root

Root account can become locked as well as regular accounts.

root_unlock_time=n

This option implies even_deny_root option. Allow access after n seconds to root account after the account is locked. In case the option is not specified the value is the same as of the unlock_time option.

admin_group=name

If a group name is specified with this option, members of the group will be handled by this module the same as the root account (the options even_deny_root and root_unlock_time will apply to them. By default the option is not set.
 

EXAMPLES

/etc/security/faillock.conf file example:

deny=4
unlock_time=1200
silent
    
 

FILES

/etc/security/faillock.conf

the config file for custom options
 

SEE ALSO

faillock(8), pam_faillock(8), pam.conf(5), pam.d(5), pam(8)  

AUTHOR

pam_faillock was written by Tomas Mraz. The support for faillock.conf was written by Brian Ward.


 

Index

NAME
DESCRIPTION
OPTIONS
EXAMPLES
FILES
SEE ALSO
AUTHOR

This document was created by man2html, using the manual pages.
Time: 04:45:56 GMT, September 16, 2022 Content-type: text/html; charset=UTF-8 Man page of FAILLOCK

FAILLOCK

Section: Linux-PAM Manual (8)
Updated: 06/08/2020
Index Return to Main Contents
 

NAME

faillock - Tool for displaying and modifying the authentication failure record files  

SYNOPSIS

faillock [--dir /path/to/tally-directory] [--user username] [--reset]
 

DESCRIPTION

The pam_faillock.so module maintains a list of failed authentication attempts per user during a specified interval and locks the account in case there were more than deny consecutive failed authentications. It stores the failure records into per-user files in the tally directory.

The faillock command is an application which can be used to examine and modify the contents of the tally files. It can display the recent failed authentication attempts of the username or clear the tally files of all or individual usernames.  

OPTIONS

--dir /path/to/tally-directory

The directory where the user files with the failure records are kept. The default is /var/run/faillock.

--user username

The user whose failure records should be displayed or cleared.

--reset

Instead of displaying the user's failure records, clear them.
 

FILES

/var/run/faillock/*

the files logging the authentication failures for users
 

SEE ALSO

pam_faillock(8), pam(8)  

AUTHOR

faillock was written by Tomas Mraz.


 

Index

NAME
SYNOPSIS
DESCRIPTION
OPTIONS
FILES
SEE ALSO
AUTHOR

This document was created by man2html, using the manual pages.
Time: 04:45:58 GMT, September 16, 2022

댓글 쓰기

0 댓글