pam_tally with sshd: ssh password-based failures not tally'd
Andy Armstrong
andy at hexten.net
Thu Jan 6 09:24:02 UTC 2005
George Hansper wrote:
> Hi,
>
> I've been looking at pam_tally as a means of discouraging "brute force"
> ssh attacks. I have noticed, like Adam Monsen in a previous e-mail:
>
> http://www.redhat.com/archives/pam-list/2004-October/msg00047.html
>
> that once the maximum password failures has been exceeded,
> SSH/PAM still give a clear indication of when you've cracked the right
> password.
I don't know if it helps but pam_abl[1] produces the same response for
blacklisted hosts/users whether or not they supply the correct
credentials. It also disables logins based on the originating host
rather than the user so accounts that are under attack typically remain
usable by their legitimate owner.
[1] http://www.hexten.net/sw/pam_abl/index.mhtml
--
Andy Armstrong
More information about the Pam-list
mailing list