Is this a reasonable approach?
Digant C Kasundra
digant at uta.edu
Mon Jan 3 21:23:37 UTC 2005
That's exciting! I'm definately interested in giving it a try. Where
can I get it at?
On Mon, 2005-01-03 at 15:05, Andy Armstrong wrote:
> Andy Armstrong wrote:
> > Hi folks and happy new year,
> >
> > I'm writing a PAM module that will allow me to reject connections from
> > remote hosts that have been responsible a large number of failed login
> > attempts. I've pretty much got working code but I'm agonising over the
> > best way to log failed attempts.
> >
> > I can get something working by flagging a request as potentially failed
> > during auth processing and then clearing that flag if we get as far as
> > session processing. I'd use pam_set_data() effectively for the side
> > effect of giving me a callback to the cleanup routine which is where I'd
> > actually record the success or failure of the login attempt (in a DBM
> > database).
> >
> > I assume that'll work in which case it'll scratch my immediate itch but
> > I also assume that it's not the cleanest way to detect a failed auth
> > attempt. Can anyone recommend a nicer approach?
>
> The module is complete and working now. It successfully rejects auth
> attempts from hosts that are responsible for excessive authentication
> failures according to a configurable set of rules.
>
> It still needs to function both as an auth and a session module to find
> out whether authentication was ultimately successful so you end up with
> a config like this (this is my /etc/pam.d/system-auth):
>
> auth required /lib/security/$ISA/pam_abl.so \
> config=/etc/pam_abl.conf
> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
> auth required /lib/security/$ISA/pam_deny.so
>
> session required /lib/security/$ISA/pam_abl.so
> session required /lib/security/$ISA/pam_unix.so
>
> If anyone can give me any insight as to how to avoid the need to the
> session hook I'd be gratful.
>
> I'll document it and release it on my site sometime in the next couple
> of days. Is there anything else I should usefully do to announce it to
> interested parties?
More information about the Pam-list
mailing list