1. Home
  2. 34n0s
  3. pam-authramp
  4. Overview
  • 0

34n0s/pam-authramp

Project ID: 114986

Description

pam-authramp

https://github.com/34N0/pam-authramp

The AuthRamp PAM (Pluggable Authentication Modules) module provides an account lockout mechanism based on the number of authentication failures. It calculates a dynamic delay for subsequent authentication attempts, increasing the delay with each failure to mitigate brute force attacks.

Installation Instructions

Configuration

PAM service

Edit the PAM service stacks in '/etc/pam.d'. Add the preauth hook before the authentication module:

auth        required                                     libpam_authramp.so preauth

The actual authentication module needs to be 'sufficient':

auth        sufficient                                   pam_unix.so

Add the authfail hook right after the authentication module:

auth        [default=die]                                libpam_authramp.so authfail

And finally add the module to the top of the account stack:

account     required                                     libpam_authramp.so

authramp.conf

Create a configuration file under /etc/security/authramp.conf. This is an example configuration:

# AuthRamp Configuration File
# This file configures the behavior of the AuthRamp PAM module.
#
[Configuration]
# Directory where tally information is stored.
# Each user has a separate file in this directory to track authentication failures.
# tally_dir = "/var/run/authramp"
#
# Number of allowed free authentication attempts before applying delays.
# During these free tries, the module allows authentication without introducing delays.
# free_tries = 6
#
# Base delay applied to each authentication failure.
# This is the initial delay applied after the free tries are exhausted.
# base_delay_seconds = 30
#
# Multiplier for the delay calculation based on the number of failures.
# The delay for each subsequent failure is calculated as follows:
# delay = ramp_multiplier * (fails - free_tries) * ln(fails - free_tries) + base_delay_seconds
# ramp_multiplier = 50
#
# Even lock out the root user. Enabling this can be dangerous and may result in a total system lockout.
# For auditing purposes, the tally will still be created for the root user, even if this setting is disabled.
# If you plan to enable this feature, make sure there isn't any tally stored under <tally_dir>/root, or you risk immediate lockout.
# even_deny_root = false
#
# Whether the PAM user messages in the login screen should update automatically or not.
# countdown = false

perstistent lockout

By default the lockout is not persistet between system reboots. This makes sense for systems configured with a LUKS full disk encryption. If you're system is encrypted in a different way, like systemd-homed change the tally_dir = "/var/run/authramp" setting to a persisted folder. The suggested folder is /var/lib/authramp.

default delay

The default configuration of this module is very restrictive. The standard delays are:

  • 0 to 6 failed attempts: no delay (2 sessions of 3 tries)
  • 7th failed attempt: 30-second delay
  • 15th failed attempt: 15 minutes delay
  • 30th failed attempt: 1-hour delay
  • 300th or later failed attempt: 24 hours delay

The formula used to calculate the delay is:

f : failedAttempts  
f₀ : freeTries  
r : rampMultiplier  
b : baseDelaySeconds  
delay = r * (f - f₀) * log(f - f₀) + b

Reset user

The cli uses the reads the same configuration in authramp.conf.

$ authramp --help

 █████ ██    ████████████   ████████  █████ ███    █████████  
██   ████    ██   ██   ██   ████   ████   ██████  ██████   ██ 
█████████    ██   ██   █████████████ █████████ ████ ████████  
██   ████    ██   ██   ██   ████   ████   ████  ██  ████      
██   ██ ██████    ██   ██   ████   ████   ████      ████

by 34n0@immerda.ch

Usage: authramp [COMMAND]

Commands:
  reset  Reset a locked PAM user
  help   Print this message or the help of the given subcommand(s)

Options:
  -h, --help  Print help

Active Releases

The following unofficial repositories are provided as-is by owner of this project. Contact the owner directly for bugs or issues (IE: not bugzilla).

Release Architectures Repo Download
Fedora 39 x86_64 (34)* Fedora 39 (57 downloads)
Fedora 40 x86_64 (3)* Fedora 40 (28 downloads)
Fedora 41 x86_64 (2)* Fedora 41 (7 downloads)
Fedora rawhide x86_64 (0)* Fedora rawhide (22 downloads)

* Total number of downloaded packages.


Homepage Contact

Last Build

pam-authramp

Build: 7795938

State: succeeded

Finished: 3 months ago

Quick Enable

#> dnf copr enable 34n0s/pam-authramp
More info about enabling Copr repositories

Other Actions

Report Abuse