mediumaccess-controlverified ✓rollback-safe
Enforce delay after failed logon attempt
pam-faildelay · RHEL ≥ 8 · 1 impl
Description
The pam_faildelay.so module must be configured with a delay of at least 4 seconds (4000000 microseconds) between logon prompts following a failed logon attempt.
Rationale
Inserting a delay after a failed logon attempt limits the rate of brute-force attacks. A minimum 4-second delay significantly slows automated attack tools.
Check → Remediate
Checkconfig_value
- delimiter:
- path:
- /etc/login.defs
- key:
- FAIL_DELAY
- expected:
- 4
- comparator:
- >=
Remediateconfig_set
- path:
- /etc/login.defs
- key:
- FAIL_DELAY
- value:
- 4
- separator:
Framework references
STIG
V-258071 / RHEL-09-412050V-230378V-281179 / RHEL-10-600200
NIST 800-53
AC-7
Live verification
rhel10:checkrhel8:checkrhel9:check
#pam#authentication#faildelay#brute-force