1. Home
  2. 34n0s
  3. pam-authramp
  4. Overview
  • 0

34n0s/pam-authramp

Project ID: 114986

Description

pam-authramp

The AuthRamp PAM (Pluggable Authentication Modules) module provides an account lockout mechanism based on the number of authentication failures. It calculates a dynamic delay for subsequent authentication attempts, increasing the delay with each failure to mitigate brute force attacks.

Installation Instructions

Configuration

PAM service

Edit the PAM service stacks in '/etc/pam.d'. Add the preauth hook before the authentication module:

auth        required                                     libpam_authramp.so preauth

The actual authentication module needs to be 'sufficient':

auth        sufficient                                   pam_unix.so

Add the authfail hook right after the authentication module:

auth        [default=die]                                libpam_authramp.so authfail

And finally add the module to the top of the account stack:

account     required                                     libpam_authramp.so

authramp.conf

Create a configuration file under /etc/security/authramp.conf. This is an example configuration:

# AuthRamp Configuration File
# This file configures the behavior of the AuthRamp PAM module.
#
[Settings]
# Directory where tally information is stored.
# Each user has a separate file in this directory to track authentication failures.
tally_dir = /var/run/authramp
#
# Number of allowed free authentication attempts before applying delays.
# During these free tries, the module allows authentication without introducing delays.
free_tries = 6
#
# Base delay applied to each authentication failure.
# This is the initial delay applied after the free tries are exhausted.
base_delay_seconds = 30
#
# Multiplier for the delay calculation based on the number of failures.
# The delay for each subsequent failure is calculated as follows:
# delay = ramp_multiplier * (fails - free_tries) * ln(fails - free_tries) + base_delay_seconds
ramp_multiplier = 50
#
# Even lock out the root user. Enabling this can be dangerous and may result in a total system lockout.
# For auditing purposes, the tally will still be created for the root user, even if this setting is disabled.
# If you plan to enable this feature, make sure there isn't any tally stored under <tally_dir>/root, or you risk immediate lockout.
even_deny_root = false

default delay

The default configuration of this module is very restrictive. The standard delays are:

  • 0 to 6 failed attempts: no delay (2 sessions of 3 tries)
  • 7th failed attempt: 30-second delay
  • 15th failed attempt: 15 minutes delay
  • 30th failed attempt: 1-hour delay
  • 300th or later failed attempt: 24 hours delay

The formula used to calculate the delay is:

f : failedAttempts  
f₀ : freeTries  
r : rampMultiplier  
b : baseDelaySeconds  
delay = r * (f - f₀) * log(f - f₀) + b

Reset user

The cli uses the reads the same configuration in authramp.conf To reset the user use the authramp command:

sudo authramp reset --user <user>

Active Releases

The following unofficial repositories are provided as-is by owner of this project. Contact the owner directly for bugs or issues (IE: not bugzilla).

Release Architectures Repo Download
Fedora 39 x86_64 (27)* Fedora 39 (30 downloads)

* Total number of downloaded packages.


Homepage Contact

Last Build

pam-authramp

Build: 7006730

State: succeeded

Finished: 2 months ago

Quick Enable

#> dnf copr enable 34n0s/pam-authramp
More info about enabling Copr repositories

Other Actions

Report Abuse