diff --git a/linux-pam/Makefile b/linux-pam/Makefile
new file mode 100644
index 0000000000000000000000000000000000000000..3ab1fc9564bfdfbfc05e3a26f82208bffdf815fe
--- /dev/null
+++ b/linux-pam/Makefile
@@ -0,0 +1,38 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=linux-pam
+PKG_VERSION:=1.7.0
+PKG_RELEASE:=1
+
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL:=https://github.com/linux-pam/linux-pam.git
+PKG_SOURCE_VERSION:=v$(PKG_VERSION)
+PKG_MIRROR_HASH:=skip
+
+include $(INCLUDE_DIR)/package.mk
+include $(INCLUDE_DIR)/meson.mk
+
+define Package/linux-pam
+  SECTION:=libs
+  CATEGORY:=Libraries
+  TITLE:=Linux PAM Module
+  DEPENDS:=+libpam
+endef
+
+MESON_ARGS += \
+	-Dprefix=/usr \
+	-Ddefault_library=shared \
+	-Ddocs=disabled \
+	-Deconf=disabled \
+	-Dselinux=disabled \
+	-Dnis=disabled \
+	-Dexamples=false \
+	-Dxtests=false
+
+define Package/linux-pam/install
+	$(INSTALL_DIR) $(1)/usr/lib/security
+	$(INSTALL_DIR) $(1)/etc/uci-defaults/
+	$(INSTALL_BIN) ./files/pam_faillock.uci_default $(1)/etc/uci-defaults/99-add_pam_faillock
+endef
+
+$(eval $(call BuildPackage,linux-pam))
diff --git a/linux-pam/files/pam_faillock.uci_default b/linux-pam/files/pam_faillock.uci_default
new file mode 100644
index 0000000000000000000000000000000000000000..45af5dc45aaec1dc5a41a89ce1d8b4b6674b5bed
--- /dev/null
+++ b/linux-pam/files/pam_faillock.uci_default
@@ -0,0 +1,43 @@
+#!/bin/sh
+
+create_faillock_files()
+{
+	# also create files needed by pam_faillock
+	touch /var/log/faillock
+	chmod 700 /var/log/faillock
+	touch /var/log/btmp
+	chmod 700 /var/log/btmp
+}
+
+update_pam_common_auth()
+{
+	local file="/etc/pam.d/common-auth"
+	local deny=6
+	local unlock_time=300
+
+	# update pam_unix.so line
+	sed -i -E 's|^.*pam_unix\.so.*|auth\t sufficient\tpam_unix.so nullok_secure|' "$file"
+
+	# Insert pam_faillock lines before and after pam_unix.so
+	sed -i -E "/pam_unix.so nullok_secure/i auth     required       pam_faillock.so preauth deny=$deny even_deny_root unlock_time=$unlock_time" "$file"
+	sed -i -E "/pam_unix.so nullok_secure/a auth     [default=die]  pam_faillock.so authfail audit deny=$deny even_deny_root unlock_time=$unlock_time" "$file"
+}
+
+update_pam_common_account()
+{
+	# update account file
+	sed -i "/pam_unix.so/ i account  required       pam_faillock.so" /etc/pam.d/common-account
+}
+
+if [ -f "/usr/lib/security/pam_faillock.so" ]; then
+	update_pam_common_auth
+	update_pam_common_account
+	create_faillock_files
+fi
+
+if [ -f /etc/config/sshd ]; then
+	uci -q set sshd.@sshd[0].UsePAM=1
+	uci commit sshd
+fi
+
+exit 0