pam_tally and fail_locktime

Benjamin Donnachie benjamin at pythagoras.no-ip.org
Thu Oct 6 21:44:51 UTC 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Philip Yarra wrote:
> I was thinking in terms of making your changes settable through configuration, 
> so people who need to do non-root auth can change the behaviour through 
> config, with default behaviour to be root-only. Does that sound like a useful 
> thing to other people?

At the moment it just dies quietly if it's not running as root - I think
I'd prefer to change the default behaviour so it at least gives you a
warning.

>>Thinking about it, have you considered public/private key authentication?  
> Yep, I use key authentication only, and I also restrict users by AllowUsers 
> directive in sshd_config. All dropped SSH connects get logged, and my 
> ~/.bash_profile runs a script to show me who has been trying to log in. 
> 
> I don't want to risk losing my membership of the Tinfoil Hat Brigade, you 
> know.

I don't think there's any danger of that... :-)

> Yes, that's one of the drawbacks. The main advantage I can see is to deal with 
> the four brazilian (obligatory George Bush joke) brute force attempts that I 
> get from China and Korea (mainly) when I open up SSH ports to the whole 
> world. 

I managed to stop those quite easily - just change to a non-standard
port number! :-)

> Security is hard, I guess. :-)

I've been playing with pam_abl and pam in general and so far have
discovered the following:

	pam_abl doesn't work properly with authentication with the likes of php
and apache - it incorrectly detects correct logins as failures.

	Unsurprisingly, you can't setuid library modules.

	To access shadow passwords pam_unix uses a setuid helper application.
I'm not sure how this would work with pam_abl (or similar) at the moment
as passing data to be written to the database could be vulnerable to use
by a malicious user...  Unless it's passed encrypted...  Or the file's
encrypted, or maybe both...  I shall think about this a little more in
the morning...

It appears that httpd and php authentication use both auth and account
in pam - so I'm still in favour of having a module which functions
similarly to pam_tally; tentatively increasing the fail count with auth
and decreasing it with a successful account.

This would have the side effect of temporarily denying concurrent
authentication phases that exceed your fail count...  but that sounds
like a feature to me!

>>I was initially attracted to the idea of combining pam_abl with blocking at
>>the network level, but I now feel that I would prefer the attacks to get
>>through to pam_abl - at least then the attacker will have no idea that they
>>are blocked and if they stumble upon the right password it will just
>>(hopefully) be refused by pam_abl and they will continue searching!
> Yeah, good point, though from what I've seen most of these attacks are done by 
> automated tools, so while I do approve of inconveniencing real live people, 
> in terms of slowing down an attack tool, I'm not sure if letting them try a 
> bunch of doomed login attempts would take more or less time than waiting for 
> a SYN/ACK that will never arrive. 

... and then restart their attack where they left off once they're
unblocked?  I'd rather it continued completely oblivious! :-)

> I guess it's really six of one, half a dozen of the other anyway.

Yup - 'fraid so!

Ben
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQIVAwUBQ0Wa0ugNmph0Y1E2AQLnfA//abEuc0mfknouPxVfJ4cNt8buSPesPj1F
zIX8TMDu99jX75Y5N3qQCUjxJ0iBD0+b1eW3dRiM3+2wYf6OK/MI9eocBijYpi6T
FBq3YA810BfeMVK7md7GYzgZqwewxA0ViWErrBvXDWjutaaWl7CBm+d8XCszSFch
cK7xTVi7NPpvepSZubj3RZcDZvZA2r7WTFV7lU2mDgq64bNfhpPq6GBXLpKD6P4W
NA5fs0iaRCNogCBqlhEYmd2Pqjn74H5arqnUtTHZFVml6JtiW46tMdrU1j+ax0Xz
D78eZbD/HG6fmhdM9qJ3V/zYsrcPARdQPmwm6Q6s2f0j3d6kEHu6aC0FXyrtRQm9
P6m5MIQil9D761msVHWBfn4CwiGuFmOrzjJRa0o5OXM6TUt7BViSuj9jp48Bga9w
h80RcoPtHY+0vlZpkaWObs1GCpb5TaTeRdUANoE9NhuLF6puntP882P1U1CGEc7N
U2ejDSdK6BClSwSNhQr88BlKcCsXyP/tbWnShptPa21D6tLZrM8QdLhA9uk+se03
qmfKKrTkzw6fsU0WcDzjbWcox6gYtioIiMtb0PkHjSMI9w3Zru7JsTlotV0g0oSF
HhDNQZzh5X8koV/lzVCAAe7UFiSn8zW76kI/dTdT1TFTzi2LTsHNdkzKEaDsLH7u
zpnRh4HvYZs=
=Y1J2
-----END PGP SIGNATURE-----

More information about the Pam-list mailing list