Benjamin Donnachie | 1 Oct 23:56 2005
Picon

Re: pam_tally and fail_locktime


Benjamin Donnachie wrote:
> I am using pam_tally to add a little extra security to php and httpd PAM
> authentications and would like to use fail_locktime - is there an easy
> way (ie a utility perhaps?) to set this value for all users?

/me slaps head...

usage: faillog [-a|-u user] [-m max] [-r] [-t days] [-l locksecs]

How could I have missed the -l switch before?  D'OH!

Ben
Benjamin Donnachie | 1 Oct 23:58 2005
Picon

Re: pam_tally and fail_locktime


Benjamin Donnachie wrote:
> How could I have missed the -l switch before?  D'OH!

Ah... because it isn't mentioned in the man page under Fedora Core 3!

Ben
Philip Yarra | 2 Oct 02:13 2005
Picon

Re: pam_tally and fail_locktime

Interesting, I see the same inconsistency on Mandr{ake|iva} 10.2
[root <at> punky ~]# faillog --help
faillog: invalid option -- -
usage: faillog [-a|-u user] [-m max] [-r] [-t days] [-l locksecs]

but not listed in the man page. Thanks for the heads-up.

Philip.

On Sun, 2 Oct 2005 07:58 am, Benjamin Donnachie wrote:
> Benjamin Donnachie wrote:
> > How could I have missed the -l switch before?  D'OH!
>
> Ah... because it isn't mentioned in the man page under Fedora Core 3!
>
> Ben
>
> _______________________________________________
> Pam-list mailing list
> Pam-list <at> redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
Benjamin Donnachie | 2 Oct 21:11 2005
Picon

Re: pam_tally and fail_locktime


Philip Yarra wrote:
> Interesting, I see the same inconsistency on Mandr{ake|iva} 10.2

I'm not too impressed with the pam_tally modules supplied with Fedora
Core 3 - it returns a different error message if you get the password
right but it's exceeded the tally...

Completely negating the security I wanted to implement with it!

I prefer the version described at
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-6.html#ss6.24
as it performs account denying at the authentication stage - which
should hopefully not distinguish whether a correct password has been
passed if the tally count has been exceeded...

I shall see whether I can get it running with the version of PAM
supplied with FC3 - if not, I'll look into replacing the whole PAM system...

Ben
Benjamin Donnachie | 2 Oct 21:49 2005
Picon

Re: pam_tally and fail_locktime


Benjamin Donnachie wrote:
> I'm not too impressed with the pam_tally modules supplied with Fedora
> Core 3 - it returns a different error message if you get the password
> right but it's exceeded the tally...

Scrub that - I've found pam_abl at http://www.hexten.net/pam_abl/ which
provides auto blacklisting of hosts and users responsible for repeated
failed authentication attempts...  Perfect! :-)

Ben
Philip Yarra | 5 Oct 01:09 2005
Picon

Re: pam_tally and fail_locktime

On Mon, 3 Oct 2005 05:49 am, Benjamin Donnachie wrote:
> Scrub that - I've found pam_abl at http://www.hexten.net/pam_abl/ which
> provides auto blacklisting of hosts and users responsible for repeated
> failed authentication attempts...  Perfect! :-)

I was looking at pam_abl to deflect SSH brute force attacks. Let me know how 
you get on with it.

Philip.
Dan Hollis | 5 Oct 01:25 2005
Picon

Re: pam_tally and fail_locktime

On Wed, 5 Oct 2005, Philip Yarra wrote:
> On Mon, 3 Oct 2005 05:49 am, Benjamin Donnachie wrote:
>> Scrub that - I've found pam_abl at http://www.hexten.net/pam_abl/ which
>> provides auto blacklisting of hosts and users responsible for repeated
>> failed authentication attempts...  Perfect! :-)
> I was looking at pam_abl to deflect SSH brute force attacks. Let me know how
> you get on with it.

pam_abl works great in general, though it doesnt work at all on x86_64 at 
the moment. maybe someone more clued on pam can fix it.
http://www.hexten.net/bugzilla/show_bug.cgi?id=12

-Dan
Benjamin Donnachie | 5 Oct 01:58 2005
Picon

Re: pam_tally and fail_locktime


Philip Yarra wrote:
> I was looking at pam_abl to deflect SSH brute force attacks. Let me know how
> you get on with it.

I'm very pleased with it so far.  It works at the auth level of pam, so
blocked users don't get a different error message if they get their
password right (unlike the version of pam_tally on my system!).

The only slight problem is that pam_abl will only run as root but I also
wanted to use it to protect httpd and php authentications which run as
apache - so I removed the root check from the source code and made the
database files world accessible.  Not perfect, but my users don't have
shell access and get placed in a chroot jail when they transfer files
so, hopefully, they won't be able to access the db files!

Alternatively, you could create a separate authentication group, make
the db files g+rw and then add any system users that perform
authentication to this group...

I'd recommend that you give pam_abl a go!  If you need a hand to get it
working with services that authenticate while non-root, let me know and
I'll send you details of my modification.

Take care,

Ben
Benjamin Donnachie | 5 Oct 02:12 2005
Picon

Re: pam_tally and fail_locktime


Dan Hollis wrote:
> pam_abl works great in general, though it doesnt work at all on x86_64
> at the moment. maybe someone more clued on pam can fix it.
> http://www.hexten.net/bugzilla/show_bug.cgi?id=12

I understand that the way pam_abl detects the end of a failed auth
attempt is dependent upon services calling the PAM functions in a
particular way - perhaps this is different on x86_64s to their predecessors?

I've suggested to the author that he might like to consider adopting an
approach similar to pam_tally of having auth and account modules (rather
than just auth).  That way it can log an attempted login under the auth
module and then clear it under the account section.  If the auth module
is invoked again without there having been a corresponding account
invokation, then the previous login failed and can be recorded.

I'd also like to use pam_abl to protect services which authenticate
while non-root, such as httpd and php, but I would also like to protect
my db files...  One method might be to use sql databases instead and to
hardcode the database details at compile time... Or maybe look into
whether pam modules can be set UID'ed.

When I get time, I intend to start looking at implementing these in
pam_abl/something similar - the auth/account separation might be just
what's needed on the x86_64 platform.

Ben
Dan Hollis | 5 Oct 02:15 2005
Picon

Re: pam_tally and fail_locktime

On Wed, 5 Oct 2005, Benjamin Donnachie wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Dan Hollis wrote:
>> pam_abl works great in general, though it doesnt work at all on x86_64
>> at the moment. maybe someone more clued on pam can fix it.
>> http://www.hexten.net/bugzilla/show_bug.cgi?id=12
> I understand that the way pam_abl detects the end of a failed auth
> attempt is dependent upon services calling the PAM functions in a
> particular way - perhaps this is different on x86_64s to their predecessors?

"After doing some tests, I have found that the cleanup function registered 
by pam_set_data is never called."

whether the bug is in x86_64 pam or in pam_abl is unknown at the moment. 
but ia32 pam_abl works fine.

if the api for x86_64 pam is different, sounds like a pam bug to me. but 
afaik no other applications that use pam have breakage like this, so i'm 
going to assume it's a pam_abl bug.

-Dan

Gmane