Forcing your Linux users to wait after they input an incorrect password

When I run through my security checklist after building a host, one of the first things I change is the login fail delay. This option allows you to force a user to wait a given number of microseconds after a login failure before being able to try another password. For applications that perform brute force attacks this can be extremely handy, since the application performing the brute force attacks will stall in between unsuccessful passwords, hopefully allowing you to catch them in the act through log event notifications (this of course assumes the password attack occurs serially).

To configure a login delay on a CentOS or RHEL server, you can do one of two things. You can add the FAIL_DELAY variable to /etc/login.defs:

$ grep FAIL_DELAY /etc/login.defs

FAIL_DELAY 10000000

or you can add to /etc/pam.d/system-auth configuration file:

auth optional delay=10000000 <---- add this
auth required
auth sufficient nullok try_first_pass
auth requisite uid >= 500 quiet
auth required

Once one of these two items is in place, you will now be required to wait for FAIL_DELAY microseconds prior to being able to enter another password. This is a handy option, and one that should be implemented on every Linux server!

This article was posted by Matty on 2010-08-31 16:20:00 -0400 EDT