pam_fail_delay - Linux

Overview

pam_fail_delay is a PAM module that introduces a configurable delay before responding to authentication failures. This can be useful for throttling brute-force attacks or providing a visual deterrent.

Syntax

pam_fail_delay.so [options]

Options/Flags

• delay=: Sets the delay in milliseconds before responding to an authentication failure. Default: 500
• max_delay=: Sets the maximum delay in milliseconds. Default: 10000
• delay_on_lockout=: Enables or disables delays on account lockouts. Default: true
• log=: Sets the logging level for the module. Default: info
• debug=: Enables debug logging. Default: false

Examples

Simple usage with default delay:

auth required pam_fail_delay.so

Specify a custom delay of 2 seconds:

auth required pam_fail_delay.so delay=2000

Disable delays on account lockout:

auth required pam_fail_delay.so delay_on_lockout=false

Enable debug logging:

auth required pam_fail_delay.so debug=true

Common Issues

• Incorrect syntax: Ensure the syntax is correct and all options are specified in the correct format.
• Insufficient privileges: The module may require sufficient access rights to the PAM configuration file and its related resources.
• Configuration errors: Check the PAM configuration file for any errors in the module’s configuration, such as invalid option values or missing parameters.

Integration

Throttling Brute-Force Attacks: Integrate with tools like fail2ban or denyhosts to rate-limit failed login attempts and block attackers.

Alerting on Failed Attempts: Combine with other logging and monitoring tools to trigger alerts when a certain number of authentication failures occur within a given period.

Related Commands

• pam: PAM configuration tool
• sshd: SSH server
• fail2ban: Intrusion detection and response system