Forcing your Linux users to wait after they input an incorrect password
When I run through my security checklist after building a host, one of the first things I change is the login fail delay. This option allows you to force a user to wait a given number of microseconds after a login failure before being able to try another password. For applications that perform brute force attacks this can be extremely handy, since the application performing the brute force attacks will stall in between unsuccessful passwords, hopefully allowing you to catch them in the act through log event notifications (this of course assumes the password attack occurs serially).
To configure a login delay on a CentOS or RHEL server, you can do one of two things. You can add the FAIL_DELAY variable to /etc/login.defs:
$ grep FAIL_DELAY /etc/login.defs
FAIL_DELAY 10000000
or you can add mod_faildelay.so to /etc/pam.d/system-auth configuration file:
auth optional pam_faildelay.so delay=10000000 <---- add this
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
Once one of these two items is in place, you will now be required to wait for FAIL_DELAY microseconds prior to being able to enter another password. This is a handy option, and one that should be implemented on every Linux server!
Chris Siebenmann on August 31st, 2010
I disagree strongly with this. In practice, in most environments the only thing a login delay does is inconvenience real users who accidentally entered their own password wrong. Attackers are perfectly capable of both opening lots of connections in parallel and dropping unresponsive connections after a short delay.
(In longer form: http://utcc.utoronto.ca/~cks/space/blog/sysadmin/NetworkAuthDelays)