pam_tally and fail_locktime
Benjamin Donnachie
benjamin at pythagoras.no-ip.org
Tue Oct 4 23:58:23 UTC 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Philip Yarra wrote:
> I was looking at pam_abl to deflect SSH brute force attacks. Let me know how
> you get on with it.
I'm very pleased with it so far. It works at the auth level of pam, so
blocked users don't get a different error message if they get their
password right (unlike the version of pam_tally on my system!).
The only slight problem is that pam_abl will only run as root but I also
wanted to use it to protect httpd and php authentications which run as
apache - so I removed the root check from the source code and made the
database files world accessible. Not perfect, but my users don't have
shell access and get placed in a chroot jail when they transfer files
so, hopefully, they won't be able to access the db files!
Alternatively, you could create a separate authentication group, make
the db files g+rw and then add any system users that perform
authentication to this group...
I'd recommend that you give pam_abl a go! If you need a hand to get it
working with services that authenticate while non-root, let me know and
I'll send you details of my modification.
Take care,
Ben
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iQIVAwUBQ0MXHegNmph0Y1E2AQIbhw/9HbLpE2cOxKPcfwaDMqcIT1PGsOYIEdu2
S7Cvc50zQLAHOMseF+ih8LWBqR4rRVT0iJC8ZHPJdzCkyNQPaz+MIKeaFK0KEVcM
jJJagHejOITzCtQ9Gj3ycpbB24ljs6tHvzt3Dc7+1jD7R0BANBafoRhCIfH+Iaot
IMLx8G9CdcEs83aswXSSDliJD7nxUDXgHCRJfoFTdnir9IP3GkvOOVcfyZimTHNm
rOF0H0L8cigIwI+k//lNqV2Eg2+QixNIuFExww3qWwfXejVaPJg63egtuzR9N5Gb
OzP/KJkeKy4Mz66xvhfORTFnEETXLH16Y333Ml1BxDkKJ9dTZSi5tm/l/nXtffFm
KrCRnsV7XRXp8Vf6LulgouxJpovfdqfPuiteXumHepvQ3MUA+7oRIEAyn791cMVm
mNk88jQXHQSmv2KVmC0KUKkwRsaQDR/vryToOopS57+oAcDgJ+AtVVQsmFNb7gme
f93prZfylA6IOnXv/puQno/0FENTHtFRCN7hvLJraDajIVnY+Htl3neKTrSrSY+H
5AfDvCuxYSesInuReP/dM1FTyiUtF37srqnZASvQChwmOYdH2YtcX41NGCfAigjO
MS3sS+qTXSmT0BjILudGZff3tKXc8GF+BBcK4q9Xjo8D0IseRC6QtARoTkKK1p0l
uK8URUFrhpU=
=0v0O
-----END PGP SIGNATURE-----
More information about the Pam-list
mailing list