Quickly spot and manage failed login attempts using the faillog utility to detect locked accounts and brute-force activity. 19.11.2025 | reading time: 2 min When a user fails authentication, the kernel and PAM layers may record that event; faillog is the classic utility to read and manipulate those failure counters so an administrator can spot repeated bad attempts or clear a locked account. A failed-login scenario Reproduce and inspect failures with a couple of commands; run the tool and reset a record when needed: ```bash $ sudo faillog Username Fail Latest failed login From root 0 alice 3 Tue Nov 19 10:12:34 2024 198.51.100.23 bob 5 Tue Nov 19 10:15:01 2024 198.51.100.24 $ sudo faillog -r -u alice ``` Now re-run `sudo faillog` and alice's Fail count is cleared. Digging deeper Look under the hood: faillog works by reading the system faillog data (commonly /var/log/faillog) and addresses records by UID or username; use `faillog -u username` to inspect a specific record and `faillog -r -u username` to reset it, but account lockout behavior and storage can differ by distribution because PAM modules control policy, so always confirm which PAM stack your system uses before changing counters. Neighbors in the toolkit faillog helps with counters, but authentication auditing is broader; check auth logs and PAM tools for context, and combine faillog with other utilities to investigate source IPs, timing and correlated events. Final step Mastering faillog is a practical step toward better Linux security; practice on a lab system, compare the output with your distro's PAM modules, and then widen the view to logging and intrusion detection — consider formal study and certification like CompTIA Linux+ or LPIC-1, and use bitsandbytes.academy for intensive exam preparation. Join Bits & Bytes Academy First class LINUX exam preparation. utilities security troubleshooting
