Re: pam_tally and fail_locktime
Benjamin Donnachie <benjamin <at> pythagoras.no-ip.org>
2005-10-04 23:58:23 GMT
Philip Yarra wrote:
> I was looking at pam_abl to deflect SSH brute force attacks. Let me know how
> you get on with it.
I'm very pleased with it so far. It works at the auth level of pam, so
blocked users don't get a different error message if they get their
password right (unlike the version of pam_tally on my system!).
The only slight problem is that pam_abl will only run as root but I also
wanted to use it to protect httpd and php authentications which run as
apache - so I removed the root check from the source code and made the
database files world accessible. Not perfect, but my users don't have
shell access and get placed in a chroot jail when they transfer files
so, hopefully, they won't be able to access the db files!
Alternatively, you could create a separate authentication group, make
the db files g+rw and then add any system users that perform
authentication to this group...
I'd recommend that you give pam_abl a go! If you need a hand to get it
working with services that authenticate while non-root, let me know and
I'll send you details of my modification.