Ed Schouten | 1 May 14:45 2010
Picon

[Extension] utmpx and LOGIN_FAILURE

Hi all,

Some time ago I noticed some operating systems offer an interface called
btmp, which is essentially a wtmp for logging failed login attempts.
Instead of taking the same approach, I'd rather do something as follows:

	http://80386.nl/pub/utmpx-login_failure.diff.txt

This patch adds a new utmpx log entry type called LOGIN_FAILURE.
Unfortunately we are the only operating system that does it this way,
but I suspect if we can already get OpenSSH and PAM to use this
interface, we've got reasonable coverage. The patch only has the
modifications for OpenSSH.

An example of what this looks like:

| $ last | grep failed
| sdlfkjdf            mekker.80386.nl        Sat May  1 14:14   login failed

The idea behind having this, is to make logging of such failed attempts
more generic and easier to obtain. It would be quite nice if
applications like DenyHosts can simply harvest this database using
getutxent(3), instead of using all sorts of regular expressions on the
log files.

Any thoughts on this subject?

--

-- 
 Ed Schouten <ed <at> 80386.nl>
 WWW: http://80386.nl/
(Continue reading)

Alexander Leidinger | 1 May 21:12 2010
Picon

Re: [Extension] utmpx and LOGIN_FAILURE

On Sat, 1 May 2010 14:45:44 +0200 Ed Schouten <ed <at> 80386.nl> wrote:

> Hi all,
> 
> Some time ago I noticed some operating systems offer an interface
> called btmp, which is essentially a wtmp for logging failed login
> attempts. Instead of taking the same approach, I'd rather do

Does this default to on or off or is this always on? If the later: some
kind of a switch (no matter what the default is) would be highly
desired.

Bye,
Alexander.
_______________________________________________
freebsd-arch <at> freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "freebsd-arch-unsubscribe <at> freebsd.org"

Ed Schouten | 1 May 22:32 2010
Picon

Re: [Extension] utmpx and LOGIN_FAILURE

Hello Alexander,

* Alexander Leidinger <Alexander <at> Leidinger.net> wrote:
> On Sat, 1 May 2010 14:45:44 +0200 Ed Schouten <ed <at> 80386.nl> wrote:
> 
> > Hi all,
> > 
> > Some time ago I noticed some operating systems offer an interface
> > called btmp, which is essentially a wtmp for logging failed login
> > attempts. Instead of taking the same approach, I'd rather do
> 
> Does this default to on or off or is this always on? If the later: some
> kind of a switch (no matter what the default is) would be highly
> desired.

What about adding a switch to last(1) to (un)hide the entries?

--

-- 
 Ed Schouten <ed <at> 80386.nl>
 WWW: http://80386.nl/
Peter Jeremy | 1 May 22:56 2010
Picon

Re: [Extension] utmpx and LOGIN_FAILURE

On 2010-May-01 22:32:44 +0200, Ed Schouten <ed <at> 80386.nl> wrote:
>* Alexander Leidinger <Alexander <at> Leidinger.net> wrote:
>> Does this default to on or off or is this always on? If the later: some
>> kind of a switch (no matter what the default is) would be highly
>> desired.
>
>What about adding a switch to last(1) to (un)hide the entries?

That doesn't cover the DoS potential of logging this data in the
firstplace.

--

-- 
Peter Jeremy
Ed Schouten | 2 May 01:58 2010
Picon

Re: [Extension] utmpx and LOGIN_FAILURE

* Peter Jeremy <peterjeremy <at> acm.org> wrote:
> On 2010-May-01 22:32:44 +0200, Ed Schouten <ed <at> 80386.nl> wrote:
> >* Alexander Leidinger <Alexander <at> Leidinger.net> wrote:
> >> Does this default to on or off or is this always on? If the later: some
> >> kind of a switch (no matter what the default is) would be highly
> >> desired.
> >
> >What about adding a switch to last(1) to (un)hide the entries?
> 
> That doesn't cover the DoS potential of logging this data in the
> firstplace.

So how is this covered right now? As far as I know, all of our existing
login services write messages to /var/log/*.

--

-- 
 Ed Schouten <ed <at> 80386.nl>
 WWW: http://80386.nl/
M. Warner Losh | 2 May 05:50 2010

Re: [Extension] utmpx and LOGIN_FAILURE

In message: <20100501235846.GU56080 <at> hoeg.nl>
            Ed Schouten <ed <at> 80386.nl> writes:
: * Peter Jeremy <peterjeremy <at> acm.org> wrote:
: > On 2010-May-01 22:32:44 +0200, Ed Schouten <ed <at> 80386.nl> wrote:
: > >* Alexander Leidinger <Alexander <at> Leidinger.net> wrote:
: > >> Does this default to on or off or is this always on? If the later: some
: > >> kind of a switch (no matter what the default is) would be highly
: > >> desired.
: > >
: > >What about adding a switch to last(1) to (un)hide the entries?
: > 
: > That doesn't cover the DoS potential of logging this data in the
: > firstplace.
: 
: So how is this covered right now? As far as I know, all of our existing
: login services write messages to /var/log/*.

newsyslog rotates those files when they get too big...

Warner
_______________________________________________
freebsd-arch <at> freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "freebsd-arch-unsubscribe <at> freebsd.org"

Alfred Perlstein | 2 May 06:23 2010
Picon

Re: [Extension] utmpx and LOGIN_FAILURE

* Ed Schouten <ed <at> 80386.nl> [100501 06:05] wrote:
> Hi all,
> 
> Some time ago I noticed some operating systems offer an interface called
> btmp, which is essentially a wtmp for logging failed login attempts.
> Instead of taking the same approach, I'd rather do something as follows:
> 
> 	http://80386.nl/pub/utmpx-login_failure.diff.txt
> 
> This patch adds a new utmpx log entry type called LOGIN_FAILURE.
> Unfortunately we are the only operating system that does it this way,
> but I suspect if we can already get OpenSSH and PAM to use this
> interface, we've got reasonable coverage. The patch only has the
> modifications for OpenSSH.
> 
> An example of what this looks like:
> 
> | $ last | grep failed
> | sdlfkjdf            mekker.80386.nl        Sat May  1 14:14   login failed
> 
> The idea behind having this, is to make logging of such failed attempts
> more generic and easier to obtain. It would be quite nice if
> applications like DenyHosts can simply harvest this database using
> getutxent(3), instead of using all sorts of regular expressions on the
> log files.
> 
> Any thoughts on this subject?

I am obviously not too familiar with this code, but I am worried
that unless done properly we could be vulnerable to DoS or obliterating
(Continue reading)

Julian Elischer | 2 May 06:55 2010

Re: [Extension] utmpx and LOGIN_FAILURE

On 5/1/10 8:50 PM, M. Warner Losh wrote:
> In message:<20100501235846.GU56080 <at> hoeg.nl>
>              Ed Schouten<ed <at> 80386.nl>  writes:
> : * Peter Jeremy<peterjeremy <at> acm.org>  wrote:
> :>  On 2010-May-01 22:32:44 +0200, Ed Schouten<ed <at> 80386.nl>  wrote:
> :>  >* Alexander Leidinger<Alexander <at> Leidinger.net>  wrote:
> :>  >>  Does this default to on or off or is this always on? If the later: some
> :>  >>  kind of a switch (no matter what the default is) would be highly
> :>  >>  desired.
> :>  >
> :>  >What about adding a switch to last(1) to (un)hide the entries?
> :>
> :>  That doesn't cover the DoS potential of logging this data in the
> :>  firstplace.
> :
> : So how is this covered right now? As far as I know, all of our existing
> : login services write messages to /var/log/*.

successful and unsuccessful attempts need to be in different files or 
an attacker can effectively flush the record of successful attempts by 
filling up the files with unsuccessful attempts. This is also a DOS 
method.

>
> newsyslog rotates those files when they get too big...
>
> Warner
> _______________________________________________
> freebsd-arch <at> freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-arch
(Continue reading)

M. Warner Losh | 2 May 10:15 2010

Re: [Extension] utmpx and LOGIN_FAILURE

In message: <20100502042314.GV36233 <at> elvis.mu.org>
            Alfred Perlstein <alfred <at> freebsd.org> writes:
: * Ed Schouten <ed <at> 80386.nl> [100501 06:05] wrote:
: > Hi all,
: > 
: > Some time ago I noticed some operating systems offer an interface called
: > btmp, which is essentially a wtmp for logging failed login attempts.
: > Instead of taking the same approach, I'd rather do something as follows:
: > 
: > 	http://80386.nl/pub/utmpx-login_failure.diff.txt
: > 
: > This patch adds a new utmpx log entry type called LOGIN_FAILURE.
: > Unfortunately we are the only operating system that does it this way,
: > but I suspect if we can already get OpenSSH and PAM to use this
: > interface, we've got reasonable coverage. The patch only has the
: > modifications for OpenSSH.
: > 
: > An example of what this looks like:
: > 
: > | $ last | grep failed
: > | sdlfkjdf            mekker.80386.nl        Sat May  1 14:14   login failed
: > 
: > The idea behind having this, is to make logging of such failed attempts
: > more generic and easier to obtain. It would be quite nice if
: > applications like DenyHosts can simply harvest this database using
: > getutxent(3), instead of using all sorts of regular expressions on the
: > log files.
: > 
: > Any thoughts on this subject?
: 
(Continue reading)

FreeBSD bugmaster | 3 May 13:08 2010
Picon

Current problem reports assigned to freebsd-arch <at> FreeBSD.org

Note: to view an individual PR, use:
  http://www.freebsd.org/cgi/query-pr.cgi?pr=(number).

The following is a listing of current problems submitted by FreeBSD users.
These represent problem reports covering all versions including
experimental development code and obsolete releases.

S Tracker      Resp.      Description
--------------------------------------------------------------------------------
o kern/120749  arch       [request] Suggest upping the default kern.ps_arg_cache

1 problem total.

_______________________________________________
freebsd-arch <at> freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "freebsd-arch-unsubscribe <at> freebsd.org"


Gmane