[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_tally with sshd: ssh password-based failures not tally'd



Hello Andy,

I've downloaded and compiled the pam_abl package.

Basically, it seems to work quite well. I did notice the following:

a) It requires the /etc/ssh/sshd_config setting:
	UsePAM yes
	ChallengeResponseAuthentication no
   for openssh-server 3.9p1-7 (Fedora Core 3/Mandrake 10.1)

b) sshd normally allows 3 tries before kicking the user out of the
   password dialog. This registers as 1 user failure and 1 host failure
   for pam_abl.

   Changing the /etc/ssh/sshd_config setting:
	MaxAuthTries 1
   limits the user to 1 try per TCP connection, and brings pam_abl into
   line with real attempts

This works for Fedora Core 3 (openssh-server 3.9p1-7)

   For Mandrake 10.1, 'MaxAuthTries N' allows 'N+1' tries, and never allows more
   than 3 tries anyway. 'MaxAuthTries 1' kicks you out before you start!
   I'm reluctant to set 'MaxAuthTries 0', even though this works. I though
   I had Mandrake allowing "N-1" tries, too, though I can't reproduce it for now.

   For Red Hat ES3/WS3 using openssh-server-3.6.1p2, the option MaxAuthTries
   does not exist, and we are stuck with the 3:1 ratio of real:measured
   failures.

c) Once a user or host has been locked, there does not seem to be any
   way to unlock the account manually, before the 'purge' time has elapsed.

   The locking appears to apply to a particular host, so I don't think this
   would arise except during testing. Once a host has exeeded it's failed-login
   limit, I would be reluctant to unlock it at a user's request.

   "user locking" appears to be "user-host locking", in that it is not the
   user's account which gets locked, but a particular user-host combination.

d) It would be useful if the pam_abl command, in addition to the list of
   failed attempts, would give a clear indication of which hosts and user-hosts
   are currently black-listed.

e) It might be better if the 'pam_abl -v' command also showed the hostname/ip
   for each failed user-attempt.

   eg:
	Failed users:
	    george (3)
	        Mon Jan 10 11:22:49 2005  localhost
	        Mon Jan 10 11:22:35 2005  www.example.net
	        Mon Jan 10 11:22:31 2005  localhost

   Similar could be applied to "Failed hosts" output, which could
   show the username for each attempt.

	Failed hosts:
	    localhost (1)
	        Mon Jan 10 11:17:14 2005  george

   Is there a place for "user-only locking"? Perhaps for a distributed attack on
   a particular user?

f) The pam_abl command REQUIRES the default-config to be specified, ie:
	pam_abl /etc/security/pam_abl.conf
   works, while
	pam_abl
   fails. This gets annoying pretty quickly.

g) The "host" field printed by pam_abl seems to be recorded as a
   an IP address, even though hostnames are printed. It would be nice
   to have the choice of hostname/IP address for the output.

In it's current form pam_abl is already useful. I am loking forward to
seeing future enhancements, and I hope it will be included in the
"standard" Linux-pam package in the near future.

Regards,
	George Hansper

Andy Armstrong wrote:
George Hansper wrote:

Hi,

I've been looking at pam_tally as a means of discouraging "brute force"
ssh attacks. I have noticed, like Adam Monsen in a previous e-mail:

http://www.redhat.com/archives/pam-list/2004-October/msg00047.html

that once the maximum password failures has been exceeded,
SSH/PAM still give a clear indication of when you've cracked the right password.


I don't know if it helps but pam_abl[1] produces the same response for blacklisted hosts/users whether or not they supply the correct credentials. It also disables logins based on the originating host rather than the user so accounts that are under attack typically remain usable by their legitimate owner.

[1] http://www.hexten.net/sw/pam_abl/index.mhtml



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]