pam_tally and fail_locktime

Wed Oct 5 16:21:47 UTC 2005

Philip Yarra <philip.yarra at internode.on.net> wrote: 
>> The only slight problem is that pam_abl will only run as root but I also
>> wanted to use it to protect httpd and php authentications which run as
>> apache - so I removed the root check from the source code and made the
>> database files world accessible.  
>Hmmm... I think your approach makes sense. The group idea is good.

The only problem with that is pam authentication under php runs as the 
current user - so, without pam_abl, I could potentially have a user on the 
system launch an attack but not be blocked.  Thus, I think I'm stuck with 
world accessible files for now (Not that I like it though).

>> I'd recommend that you give pam_abl a go!  If you need a hand to get it
>> working with services that authenticate while non-root, let me know and
>> I'll send you details of my modification.
>Have you considered contributing it as a patch?

I can do - it's really nothing as I only commented three or so lines out.

>Actually, my case is a bit easier, the only service I offer with auth is
>SSH, and at present I've simply firewalled off everything except 2 IPs.

That definitely makes things much easier! :-)  Thinking about it, have you 
considered public/private key authentication?  I use it on my system to 
restrict shell access - everyone with a password is just left with file 
transfers using scponlyc.

>I really prefer to block access at the network level, so I've been looking
>at what would be involved in using a libipq app to look up allowed dynamic 
>DNS host names (yeah, I'm on no-ip.org too :-) ) for incoming SYN packets 
>and see if they currently resolve to the the incoming IP address. If so, 
>allow the TCP connection, else DROP.  That, combined with pam_abl would be 
>pretty formidable.

Could that be vulnerable to password attacks on no-ip or even DNS poisoning?

I was initially attracted to the idea of combining pam_abl with blocking at 
the network level, but I now feel that I would prefer the attacks to get 
through to pam_abl - at least then the attacker will have no idea that they 
are blocked and if they stumble upon the right password it will just 
(hopefully) be refused by pam_abl and they will continue searching!

>Now, spare time? That's the issue. I'll give it a go when I can. 

Tell me about it! :-/

>I think the root-only auth will be okay. You made me think though... your 
>situation is analogous to shadow passwords in some ways. Would suid root 
>code be a way to handle this need to auth non-root users?

I thought about that, but I'm not sure whether I can do it within 
modules...  It's been a long while since I did any serious C programming 
and I've got a fair bit of reading up to do yet...  I'm making my way 
through the pam programmers guide and will then dust off my linux 
programming guide!

Ah-ha!  I've just realised that, as you pointed out, is exactly what 
happens with the shadow password so it is definitely possible!  Hopefully 
all will become clear soon...

--
Benjamin
benjamin at pythagoras.no-ip.org