pam_tally with sshd: ssh password-based failures not tally'd
George Hansper
george-lists at anstat.com.au
Mon Jan 10 00:31:39 UTC 2005
Hello Andy,
I've downloaded and compiled the pam_abl package.
Basically, it seems to work quite well. I did notice the following:
a) It requires the /etc/ssh/sshd_config setting:
UsePAM yes
ChallengeResponseAuthentication no
for openssh-server 3.9p1-7 (Fedora Core 3/Mandrake 10.1)
b) sshd normally allows 3 tries before kicking the user out of the
password dialog. This registers as 1 user failure and 1 host failure
for pam_abl.
Changing the /etc/ssh/sshd_config setting:
MaxAuthTries 1
limits the user to 1 try per TCP connection, and brings pam_abl into
line with real attempts
This works for Fedora Core 3 (openssh-server 3.9p1-7)
For Mandrake 10.1, 'MaxAuthTries N' allows 'N+1' tries, and never allows more
than 3 tries anyway. 'MaxAuthTries 1' kicks you out before you start!
I'm reluctant to set 'MaxAuthTries 0', even though this works. I though
I had Mandrake allowing "N-1" tries, too, though I can't reproduce it for now.
For Red Hat ES3/WS3 using openssh-server-3.6.1p2, the option MaxAuthTries
does not exist, and we are stuck with the 3:1 ratio of real:measured
failures.
c) Once a user or host has been locked, there does not seem to be any
way to unlock the account manually, before the 'purge' time has elapsed.
The locking appears to apply to a particular host, so I don't think this
would arise except during testing. Once a host has exeeded it's failed-login
limit, I would be reluctant to unlock it at a user's request.
"user locking" appears to be "user-host locking", in that it is not the
user's account which gets locked, but a particular user-host combination.
d) It would be useful if the pam_abl command, in addition to the list of
failed attempts, would give a clear indication of which hosts and user-hosts
are currently black-listed.
e) It might be better if the 'pam_abl -v' command also showed the hostname/ip
for each failed user-attempt.
eg:
Failed users:
george (3)
Mon Jan 10 11:22:49 2005 localhost
Mon Jan 10 11:22:35 2005 www.example.net
Mon Jan 10 11:22:31 2005 localhost
Similar could be applied to "Failed hosts" output, which could
show the username for each attempt.
Failed hosts:
localhost (1)
Mon Jan 10 11:17:14 2005 george
Is there a place for "user-only locking"? Perhaps for a distributed attack on
a particular user?
f) The pam_abl command REQUIRES the default-config to be specified, ie:
pam_abl /etc/security/pam_abl.conf
works, while
pam_abl
fails. This gets annoying pretty quickly.
g) The "host" field printed by pam_abl seems to be recorded as a
an IP address, even though hostnames are printed. It would be nice
to have the choice of hostname/IP address for the output.
In it's current form pam_abl is already useful. I am loking forward to
seeing future enhancements, and I hope it will be included in the
"standard" Linux-pam package in the near future.
Regards,
George Hansper
Andy Armstrong wrote:
> George Hansper wrote:
>
>> Hi,
>>
>> I've been looking at pam_tally as a means of discouraging "brute force"
>> ssh attacks. I have noticed, like Adam Monsen in a previous e-mail:
>>
>> http://www.redhat.com/archives/pam-list/2004-October/msg00047.html
>>
>> that once the maximum password failures has been exceeded,
>> SSH/PAM still give a clear indication of when you've cracked the right
>> password.
>
>
> I don't know if it helps but pam_abl[1] produces the same response for
> blacklisted hosts/users whether or not they supply the correct
> credentials. It also disables logins based on the originating host
> rather than the user so accounts that are under attack typically remain
> usable by their legitimate owner.
>
> [1] http://www.hexten.net/sw/pam_abl/index.mhtml
>
More information about the Pam-list
mailing list