pam_faildelay

```pam_faildelay.so [delay=microseconds]```

delay=microseconds
    Specifies the delay in microseconds after a failed authentication. Default value is usually 1000000 (1 second). The value should be a positive integer.

The pam_faildelay PAM module introduces a delay after a failed authentication attempt. This is designed to thwart brute-force password attacks by increasing the time required to attempt multiple logins. The delay is configurable and applies only to failed authentications. This module can be used to make brute-force attacks more difficult and time-consuming, effectively raising the cost of such attacks for adversaries.

It's important to note that while pam_faildelay can slow down brute-force attempts, it does not prevent them entirely. It should be used as one layer of defense in a multi-faceted security approach. Improper configuration can lead to user inconvenience. Consider balancing security and usability.

Overly long delays can frustrate legitimate users attempting to log in after an honest password mistake. It's recommended to choose a delay that balances security and usability. The module does *not* prevent brute-force attacks, it only slows them down. Also, pam_faildelay can be bypassed by attackers who target vulnerabilities other than brute-forcing the password.

To use pam_faildelay, you need to add it to the PAM configuration file for the service you want to protect (e.g., /etc/pam.d/login, /etc/pam.d/sshd). The most common placement is within the `auth` section of the PAM configuration.
Example line: `auth required pam_faildelay.so delay=2000000` This line inserts a 2-second delay after failed authentication attempts.

While pam_faildelay adds a layer of security, it should not be the only security measure in place. Strong passwords, multi-factor authentication, and regular security audits are also crucial. The effectiveness of pam_faildelay is limited if the system is vulnerable to other attacks that bypass password authentication.

The pam_faildelay module was developed to address the increasing threat of automated brute-force password attacks against Linux systems. It's been a standard part of PAM configurations in most distributions for many years.

pam(8), login(1)