34n0s/pam-authramp
Project ID: 114986
Description
pam-authramp
https://github.com/34N0/pam-authramp
The AuthRamp PAM (Pluggable Authentication Modules) module provides an account lockout mechanism based on the number of authentication failures. It calculates a dynamic delay for subsequent authentication attempts, increasing the delay with each failure to mitigate brute force attacks.
Installation Instructions
Configuration
PAM service
Edit the PAM service stacks in '/etc/pam.d'. Add the preauth hook before the authentication module:
auth required libpam_authramp.so preauth
The actual authentication module needs to be 'sufficient':
auth sufficient pam_unix.so
Add the authfail hook right after the authentication module:
auth [default=die] libpam_authramp.so authfail
And finally add the module to the top of the account stack:
account required libpam_authramp.so
authramp.conf
Create a configuration file under /etc/security/authramp.conf. This is an example configuration:
# AuthRamp Configuration File
# This file configures the behavior of the AuthRamp PAM module.
#
[Configuration]
# Directory where tally information is stored.
# Each user has a separate file in this directory to track authentication failures.
# tally_dir = "/var/run/authramp"
#
# Number of allowed free authentication attempts before applying delays.
# During these free tries, the module allows authentication without introducing delays.
# free_tries = 6
#
# Base delay applied to each authentication failure.
# This is the initial delay applied after the free tries are exhausted.
# base_delay_seconds = 30
#
# Multiplier for the delay calculation based on the number of failures.
# The delay for each subsequent failure is calculated as follows:
# delay = ramp_multiplier * (fails - free_tries) * ln(fails - free_tries) + base_delay_seconds
# ramp_multiplier = 50
#
# Even lock out the root user. Enabling this can be dangerous and may result in a total system lockout.
# For auditing purposes, the tally will still be created for the root user, even if this setting is disabled.
# If you plan to enable this feature, make sure there isn't any tally stored under <tally_dir>/root, or you risk immediate lockout.
# even_deny_root = false
#
# Whether the PAM user messages in the login screen should update automatically or not.
# countdown = false
perstistent lockout
By default the lockout is not persistet between system reboots. This makes sense for systems configured with a LUKS full disk encryption. If you're system is encrypted in a different way, like systemd-homed change the tally_dir = "/var/run/authramp"
setting to a persisted folder. The suggested folder is /var/lib/authramp
.
default delay
The default configuration of this module is very restrictive. The standard delays are:
- 0 to 6 failed attempts: no delay (2 sessions of 3 tries)
- 7th failed attempt: 30-second delay
- 15th failed attempt: 15 minutes delay
- 30th failed attempt: 1-hour delay
- 300th or later failed attempt: 24 hours delay
The formula used to calculate the delay is:
f : failedAttempts
f₀ : freeTries
r : rampMultiplier
b : baseDelaySeconds
delay = r * (f - f₀) * log(f - f₀) + b
Reset user
The cli uses the reads the same configuration in authramp.conf
.
$ authramp --help
█████ ██ ████████████ ████████ █████ ███ █████████
██ ████ ██ ██ ██ ████ ████ ██████ ██████ ██
█████████ ██ ██ █████████████ █████████ ████ ████████
██ ████ ██ ██ ██ ████ ████ ████ ██ ████
██ ██ ██████ ██ ██ ████ ████ ████ ████
by 34n0@immerda.ch
Usage: authramp [COMMAND]
Commands:
reset Reset a locked PAM user
help Print this message or the help of the given subcommand(s)
Options:
-h, --help Print help
Active Releases
The following unofficial repositories are provided as-is by owner of this project. Contact the owner directly for bugs or issues (IE: not bugzilla).
Release | Architectures | Repo Download |
---|---|---|
Fedora 39 | x86_64 (35)* | Fedora 39 (58 downloads) |
Fedora 40 | x86_64 (3)* | Fedora 40 (29 downloads) |
Fedora 41 | x86_64 (2)* | Fedora 41 (8 downloads) |
Fedora rawhide | x86_64 (1)* | Fedora rawhide (24 downloads) |
* Total number of downloaded packages.