34n0s/pam-authramp

Description

pam-authramp

The AuthRamp PAM (Pluggable Authentication Modules) module provides an account lockout mechanism based on the number of authentication failures. It calculates a dynamic delay for subsequent authentication attempts, increasing the delay with each failure to mitigate brute force attacks.

Installation Instructions

Configuration

PAM service

Edit the PAM service stacks in '/etc/pam.d'. Add the preauth hook before the authentication module:

auth required libpam_authramp.so preauth

The actual authentication module needs to be 'sufficient':

auth sufficient pam_unix.so

Add the authfail hook right after the authentication module:

auth [default=die] libpam_authramp.so authfail

And finally add the module to the top of the account stack:

account required libpam_authramp.so

authramp.conf

Create a configuration file under /etc/security/authramp.conf. This is an example configuration:

# AuthRamp Configuration File # This file configures the behavior of the AuthRamp PAM module. # [Settings] # Directory where tally information is stored. # Each user has a separate file in this directory to track authentication failures. tally_dir = /var/run/authramp # # Number of allowed free authentication attempts before applying delays. # During these free tries, the module allows authentication without introducing delays. free_tries = 6 # # Base delay applied to each authentication failure. # This is the initial delay applied after the free tries are exhausted. base_delay_seconds = 30 # # Multiplier for the delay calculation based on the number of failures. # The delay for each subsequent failure is calculated as follows: # delay = ramp_multiplier * (fails - free_tries) * ln(fails - free_tries) + base_delay_seconds ramp_multiplier = 50 # # Even lock out the root user. Enabling this can be dangerous and may result in a total system lockout. # For auditing purposes, the tally will still be created for the root user, even if this setting is disabled. # If you plan to enable this feature, make sure there isn't any tally stored under <tally_dir>/root, or you risk immediate lockout. even_deny_root = false

default delay

The default configuration of this module is very restrictive. The standard delays are:

  • 0 to 6 failed attempts: no delay (2 sessions of 3 tries)
  • 7th failed attempt: 30-second delay
  • 15th failed attempt: 15 minutes delay
  • 30th failed attempt: 1-hour delay
  • 300th or later failed attempt: 24 hours delay

The formula used to calculate the delay is:

f : failedAttempts f₀ : freeTries r : rampMultiplier b : baseDelaySeconds delay = r * (f - f₀) * log(f - f₀) + b

Reset user

The cli uses the reads the same configuration in authramp.conf To reset the user use the authramp command:

sudo authramp reset --user <user>

Active Releases

The following unofficial repositories are provided as-is by owner of this project. Contact the owner directly for bugs or issues (IE: not bugzilla).

* Total number of packages downloaded in the last seven days.


This is a companion discussion topic for the original entry at https://copr.fedorainfracloud.org/coprs/34n0s/pam-authramp