[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_tally with sshd: ssh password-based failures not tally'd



George Hansper wrote:

Hello Andy,

I've downloaded and compiled the pam_abl package.

Basically, it seems to work quite well. I did notice the following:

a) It requires the /etc/ssh/sshd_config setting:
    UsePAM yes
    ChallengeResponseAuthentication no
   for openssh-server 3.9p1-7 (Fedora Core 3/Mandrake 10.1)

Ah right, I'll add that to the doc, thanks.


b) sshd normally allows 3 tries before kicking the user out of the
   password dialog. This registers as 1 user failure and 1 host failure
   for pam_abl.

   Changing the /etc/ssh/sshd_config setting:
    MaxAuthTries 1
   limits the user to 1 try per TCP connection, and brings pam_abl into
   line with real attempts

Yes, a 'failed attempt' is a failed application session. The module doesn't know how many retries the application does in that session although it could work it out. Perhaps that would be better. I'll investigate.


c) Once a user or host has been locked, there does not seem to be any
   way to unlock the account manually, before the 'purge' time has elapsed.

The locking appears to apply to a particular host, so I don't think this
would arise except during testing. Once a host has exeeded it's failed-login
limit, I would be reluctant to unlock it at a user's request.

Yes, that's right. I will add it but normally it won't be necessary.


"user locking" appears to be "user-host locking", in that it is not the
user's account which gets locked, but a particular user-host combination.

No, it's actually user locking - it only considers the username. It's less useful I think than host locking but it was trivial to add it so...


d) It would be useful if the pam_abl command, in addition to the list of
failed attempts, would give a clear indication of which hosts and user-hosts
are currently black-listed.

Yup, good idea - I'll add that.


e) It might be better if the 'pam_abl -v' command also showed the hostname/ip
for each failed user-attempt.


   eg:
    Failed users:
        george (3)
            Mon Jan 10 11:22:49 2005  localhost
            Mon Jan 10 11:22:35 2005  www.example.net
            Mon Jan 10 11:22:31 2005  localhost

   Similar could be applied to "Failed hosts" output, which could
   show the username for each attempt.

    Failed hosts:
        localhost (1)
            Mon Jan 10 11:17:14 2005  george

It doesn't really have that information in an easily accessible form - it only actually records the timestamp in the database. I could add that but it'd mean quite a change.


Is there a place for "user-only locking"? Perhaps for a distributed attack on
a particular user?

That's what it actually does currently.


f) The pam_abl command REQUIRES the default-config to be specified, ie:
    pam_abl /etc/security/pam_abl.conf
   works, while
    pam_abl
   fails. This gets annoying pretty quickly.

OK, I'll put a default in there.


g) The "host" field printed by pam_abl seems to be recorded as a
   an IP address, even though hostnames are printed. It would be nice
   to have the choice of hostname/IP address for the output.

All it has is what it gets from PAM. That's typically a hostname if reverse DNS has worked otherwise a dotted-quad IP address. I could make it turn the hostnames back into IP addresses but there's probably not much point in trying to do reverse DNS if it's failed for PAM.


In it's current form pam_abl is already useful. I am loking forward to
seeing future enhancements, and I hope it will be included in the
"standard" Linux-pam package in the near future.

Thanks for taking the time to look at it so thoroughly. I'll do some more work on it over the next couple of days. It's clear that, apart from anything else, the documentation needs to give a better overview of what it's actually doing :)


Thanks.

--
Andy Armstrong, hexten.net


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]