pam_faildelay

auth required pam_faildelay.so [delay=N]
Note: This is a PAM module configuration, not a standalone shell command.

delay=N
    Specifies the number of seconds to delay after a failed authentication attempt. N must be a non-negative integer. If delay is not specified, or if N is 0, no delay is introduced by this module.

pam_faildelay is a Pluggable Authentication Modules (PAM) module designed to introduce a configurable delay after a failed authentication attempt. This delay helps to mitigate brute-force password guessing attacks by making repeated login attempts more time-consuming for an attacker.

When configured in a PAM service file (e.g., in /etc/pam.d/sshd or /etc/pam.d/login), this module is typically placed in the auth stack. If the authentication process up to that point has failed (indicated by a non-success return code from previous modules), pam_faildelay.so will pause execution for the specified number of seconds before returning control to the application. This ensures that an attacker cannot rapidly cycle through many password guesses.

While effective against simple brute-force attacks, it should be used in conjunction with other security measures like account lockout policies to provide comprehensive protection.

pam_faildelay specifically introduces a delay for failed attempts. It does not prevent brute-force attacks entirely, but rather slows them down. For comprehensive security, it should be combined with other PAM modules that implement account lockout mechanisms (e.g., pam_faillock.so or pam_tally2.so) after a certain number of consecutive failed attempts. Setting an excessively long delay might inconvenience legitimate users who mistype their password multiple times, although the primary impact is on automated attack scripts.

For pam_faildelay to be effective, it must be placed within the auth stack of a PAM service configuration. It typically makes sense to place it after modules that perform the actual authentication check (like pam_unix.so), so it can react to their failure status.

While simple, pam_faildelay is a foundational component of a layered security approach. By slowing down attackers, it increases the time required for a successful compromise, providing a longer window for detection and response, especially when combined with logging and intrusion detection systems.

The pam_faildelay module is part of the Linux-PAM project, which provides a flexible and modular system for authentication services on Linux. Its development is integrated within the broader evolution of PAM, aiming to offer granular control over authentication policies. This specific module was introduced to address the need for a simple, direct mechanism to deter brute-force attacks by imposing a time penalty on failed login attempts, thereby enhancing system security without complex configurations.

pam(8), pam_faillock(8), pam_tally2(8), pam_unix(8)