Forcing your Linux users to wait after they input an incorrect password

When I run through my security checklist after building a host, one of the first things I change is the login fail delay. This option allows you to force a user to wait a given number of microseconds after a login failure before being able to try another password. For applications that perform brute force attacks this can be extremely handy, since the application performing the brute force attacks will stall in between unsuccessful passwords, hopefully allowing you to catch them in the act through log event notifications (this of course assumes the password attack occurs serially).

To configure a login delay on a CentOS or RHEL server, you can do one of two things. You can add the FAIL_DELAY variable to /etc/login.defs:

$ grep FAIL_DELAY /etc/login.defs
FAIL_DELAY 10000000

or you can add mod_faildelay.so to /etc/pam.d/system-auth configuration file:

auth optional pam_faildelay.so delay=10000000 <---- add this auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

Once one of these two items is in place, you will now be required to wait for FAIL_DELAY microseconds prior to being able to enter another password. This is a handy option, and one that should be implemented on every Linux server!

3 thoughts on “Forcing your Linux users to wait after they input an incorrect password”

Leave a Reply

Your email address will not be published. Required fields are marked *