Andy Armstrong | 1 Jan 22:32 2005
Picon

Is this a reasonable approach?

Hi folks and happy new year,

I'm writing a PAM module that will allow me to reject connections from 
remote hosts that have been responsible a large number of failed login 
attempts. I've pretty much got working code but I'm agonising over the 
best way to log failed attempts.

I can get something working by flagging a request as potentially failed 
during auth processing and then clearing that flag if we get as far as 
session processing. I'd use pam_set_data() effectively for the side 
effect of giving me a callback to the cleanup routine which is where I'd 
actually record the success or failure of the login attempt (in a DBM 
database).

I assume that'll work in which case it'll scratch my immediate itch but 
I also assume that it's not the cleanest way to detect a failed auth 
attempt. Can anyone recommend a nicer approach?

--

-- 
Andy Armstrong
William.Cormack | 2 Jan 18:05 2005

William Cormack/FRB07 is out of the office.

I will be out of the office starting  12/31/2004 and will not return until
01/03/2005.

I will respond to your message when I return.
Andy Armstrong | 3 Jan 22:05 2005
Picon

Re: Is this a reasonable approach?

Andy Armstrong wrote:
> Hi folks and happy new year,
> 
> I'm writing a PAM module that will allow me to reject connections from 
> remote hosts that have been responsible a large number of failed login 
> attempts. I've pretty much got working code but I'm agonising over the 
> best way to log failed attempts.
> 
> I can get something working by flagging a request as potentially failed 
> during auth processing and then clearing that flag if we get as far as 
> session processing. I'd use pam_set_data() effectively for the side 
> effect of giving me a callback to the cleanup routine which is where I'd 
> actually record the success or failure of the login attempt (in a DBM 
> database).
> 
> I assume that'll work in which case it'll scratch my immediate itch but 
> I also assume that it's not the cleanest way to detect a failed auth 
> attempt. Can anyone recommend a nicer approach?

The module is complete and working now. It successfully rejects auth 
attempts from hosts that are responsible for excessive authentication 
failures according to a configurable set of rules.

It still needs to function both as an auth and a session module to find 
out whether authentication was ultimately successful so you end up with 
a config like this (this is my /etc/pam.d/system-auth):

auth        required      /lib/security/$ISA/pam_abl.so \
                                       config=/etc/pam_abl.conf
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
(Continue reading)

Digant C Kasundra | 3 Jan 22:23 2005
Picon

Re: Is this a reasonable approach?

That's exciting!  I'm definately interested in giving it a try.  Where
can I get it at?

On Mon, 2005-01-03 at 15:05, Andy Armstrong wrote:
> Andy Armstrong wrote:
> > Hi folks and happy new year,
> > 
> > I'm writing a PAM module that will allow me to reject connections from 
> > remote hosts that have been responsible a large number of failed login 
> > attempts. I've pretty much got working code but I'm agonising over the 
> > best way to log failed attempts.
> > 
> > I can get something working by flagging a request as potentially failed 
> > during auth processing and then clearing that flag if we get as far as 
> > session processing. I'd use pam_set_data() effectively for the side 
> > effect of giving me a callback to the cleanup routine which is where I'd 
> > actually record the success or failure of the login attempt (in a DBM 
> > database).
> > 
> > I assume that'll work in which case it'll scratch my immediate itch but 
> > I also assume that it's not the cleanest way to detect a failed auth 
> > attempt. Can anyone recommend a nicer approach?
> 
> The module is complete and working now. It successfully rejects auth 
> attempts from hosts that are responsible for excessive authentication 
> failures according to a configurable set of rules.
> 
> It still needs to function both as an auth and a session module to find 
> out whether authentication was ultimately successful so you end up with 
> a config like this (this is my /etc/pam.d/system-auth):
(Continue reading)

Andy Armstrong | 3 Jan 22:26 2005
Picon

Re: Is this a reasonable approach?

Digant C Kasundra wrote:

> That's exciting!  I'm definately interested in giving it a try.  Where
> can I get it at?

Well if you want to try it right now I'll knock together some quick 
instructions and mail it to you :)

--

-- 
Andy Armstrong
Jason DiCioccio | 3 Jan 23:31 2005
Picon

Re: Is this a reasonable approach?

Andy,

On Mon, 03 Jan 2005 21:26:00 +0000, Andy Armstrong <andy <at> hexten.net> wrote:
> Digant C Kasundra wrote:
> 
> > That's exciting!  I'm definately interested in giving it a try.  Where
> > can I get it at?
> 
> Well if you want to try it right now I'll knock together some quick
> instructions and mail it to you :)

I'd love a copy as well if you could :-)

Thanks!
-JD-
Andy Armstrong | 3 Jan 23:37 2005
Picon

Re: Is this a reasonable approach?

Jason DiCioccio wrote:
>>Well if you want to try it right now I'll knock together some quick
>>instructions and mail it to you :)
> 
> I'd love a copy as well if you could :-)

Aha! Unexpected demand :)

I'm just writing a command line tool that lets you inspect and modify 
the status of failed login attempts. I should have that done in an hour 
or so. Then sleep I think, but tomorrow morning (UK time) I'll write 
some documentation and get the code out to you.

--

-- 
Andy Armstrong
Digant C Kasundra | 3 Jan 23:48 2005
Picon

Re: Is this a reasonable approach?

Look forward to it.  I'm also told that the pam_laus stuff might already
do something similar.  Can anyone elaborate on that module?

On Mon, 2005-01-03 at 16:37, Andy Armstrong wrote:
> Jason DiCioccio wrote:
> >>Well if you want to try it right now I'll knock together some quick
> >>instructions and mail it to you :)
> > 
> > I'd love a copy as well if you could :-)
> 
> Aha! Unexpected demand :)
> 
> I'm just writing a command line tool that lets you inspect and modify 
> the status of failed login attempts. I should have that done in an hour 
> or so. Then sleep I think, but tomorrow morning (UK time) I'll write 
> some documentation and get the code out to you.
Tomas Mraz | 4 Jan 09:54 2005
Picon

Re: Is this a reasonable approach?

On Mon, 2005-01-03 at 21:05 +0000, Andy Armstrong wrote:

> If anyone can give me any insight as to how to avoid the need to the 
> session hook I'd be gratful.

If you look at the pam_tally module - it actually works similarly.
However it uses account phase for that instead. The problem is that some
applications can theoretically avoid to use the session phase if they
don't create a session. Maybe you could call this functionality from
pam_sm_acct_mgmt too and leave it on the user to which phase he wants to
put it.

There is probably no way how to avoid the session hook. You could also
use cleanup function on pam module data because this function has
parameter with the final success/failure code, but it's called after the
session is closed and the program can exit (due to program's error or
kill) and don't call pam_end before that.

--

-- 
Tomas Mraz <tmraz <at> redhat.com>
Andy Armstrong | 4 Jan 10:15 2005
Picon

Re: Is this a reasonable approach?

Tomas Mraz wrote:
>>If anyone can give me any insight as to how to avoid the need to the 
>>session hook I'd be gratful.
> 
> If you look at the pam_tally module - it actually works similarly.
> However it uses account phase for that instead. The problem is that some
> applications can theoretically avoid to use the session phase if they
> don't create a session. Maybe you could call this functionality from
> pam_sm_acct_mgmt too and leave it on the user to which phase he wants to
> put it.

Ah yes - that sounds more sensible, thanks.

> There is probably no way how to avoid the session hook. You could also
> use cleanup function on pam module data because this function has
> parameter with the final success/failure code, but it's called after the
> session is closed and the program can exit (due to program's error or
> kill) and don't call pam_end before that.

Ah, the cleanup hook. I think that would do the trick thanks. I don't 
think the case where the program dies without the cleanup happening is 
too much of a problem for me so that could be the answer, thanks.

I'll make some changes to the code and run the tests again and then make 
a release. Thanks for the help.

--

-- 
Andy Armstrong

Gmane