34n0s/pam-authramp

Project ID: 114986

Description

pam-authramp

https://github.com/34N0/pam-authramp

The AuthRamp PAM (Pluggable Authentication Modules) module provides an account lockout mechanism based on the number of authentication failures. It calculates a dynamic delay for subsequent authentication attempts, increasing the delay with each failure to mitigate brute force attacks.

Installation Instructions

Configuration

PAM service

Edit the PAM service stacks in '/etc/pam.d'. Add the preauth hook before the authentication module:

auth required libpam_authramp.so preauth

The actual authentication module needs to be 'sufficient':

auth sufficient pam_unix.so

Add the authfail hook right after the authentication module:

auth [default=die] libpam_authramp.so authfail

And finally add the module to the top of the account stack:

account required libpam_authramp.so

authramp.conf

Create a configuration file under /etc/security/authramp.conf. This is an example configuration:

# AuthRamp Configuration File # This file configures the behavior of the AuthRamp PAM module. # [Configuration] # Directory where tally information is stored. # Each user has a separate file in this directory to track authentication failures. # tally_dir = "/var/run/authramp" # # Number of allowed free authentication attempts before applying delays. # During these free tries, the module allows authentication without introducing delays. # free_tries = 6 # # Base delay applied to each authentication failure. # This is the initial delay applied after the free tries are exhausted. # base_delay_seconds = 30 # # Multiplier for the delay calculation based on the number of failures. # The delay for each subsequent failure is calculated as follows: # delay = ramp_multiplier * (fails - free_tries) * ln(fails - free_tries) + base_delay_seconds # ramp_multiplier = 50 # # Even lock out the root user. Enabling this can be dangerous and may result in a total system lockout. # For auditing purposes, the tally will still be created for the root user, even if this setting is disabled. # If you plan to enable this feature, make sure there isn't any tally stored under <tally_dir>/root, or you risk immediate lockout. # even_deny_root = false # # Whether the PAM user messages in the login screen should update automatically or not. # countdown = false

perstistent lockout

By default the lockout is not persistet between system reboots. This makes sense for systems configured with a LUKS full disk encryption. If you're system is encrypted in a different way, like systemd-homed change the tally_dir = "/var/run/authramp" setting to a persisted folder. The suggested folder is /var/lib/authramp.

default delay

The default configuration of this module is very restrictive. The standard delays are:

  • 0 to 6 failed attempts: no delay (2 sessions of 3 tries)
  • 7th failed attempt: 30-second delay
  • 15th failed attempt: 15 minutes delay
  • 30th failed attempt: 1-hour delay
  • 300th or later failed attempt: 24 hours delay

The formula used to calculate the delay is:

f : failedAttempts f₀ : freeTries r : rampMultiplier b : baseDelaySeconds delay = r * (f - f₀) * log(f - f₀) + b

Reset user

The cli uses the reads the same configuration in authramp.conf.

$ authramp --help █████ ██ ████████████ ████████ █████ ███ █████████ ██ ████ ██ ██ ██ ████ ████ ██████ ██████ ██ █████████ ██ ██ █████████████ █████████ ████ ████████ ██ ████ ██ ██ ██ ████ ████ ████ ██ ████ ██ ██ ██████ ██ ██ ████ ████ ████ ████ by 34n0@immerda.ch Usage: authramp [COMMAND] Commands: reset Reset a locked PAM user help Print this message or the help of the given subcommand(s) Options: -h, --help Print help

Active Releases

The following unofficial repositories are provided as-is by owner of this project. Contact the owner directly for bugs or issues (IE: not bugzilla).

Release Architectures Repo Download
Fedora 39 x86_64 (34)* Fedora 39 (57 downloads)
Fedora 40 x86_64 (3)* Fedora 40 (28 downloads)
Fedora 41 x86_64 (2)* Fedora 41 (7 downloads)
Fedora rawhide x86_64 (0)* Fedora rawhide (22 downloads)

* Total number of downloaded packages.