Hello Andy,
I've downloaded and compiled the pam_abl package.
Basically, it seems to work quite well. I did notice the following:
a) It requires the /etc/ssh/sshd_config setting: UsePAM yes ChallengeResponseAuthentication no for openssh-server 3.9p1-7 (Fedora Core 3/Mandrake 10.1)
b) sshd normally allows 3 tries before kicking the user out of the password dialog. This registers as 1 user failure and 1 host failure for pam_abl.
Changing the /etc/ssh/sshd_config setting: MaxAuthTries 1 limits the user to 1 try per TCP connection, and brings pam_abl into line with real attempts
This works for Fedora Core 3 (openssh-server 3.9p1-7)
For Mandrake 10.1, 'MaxAuthTries N' allows 'N+1' tries, and never allows more than 3 tries anyway. 'MaxAuthTries 1' kicks you out before you start! I'm reluctant to set 'MaxAuthTries 0', even though this works. I though I had Mandrake allowing "N-1" tries, too, though I can't reproduce it for now.
For Red Hat ES3/WS3 using openssh-server-3.6.1p2, the option MaxAuthTries does not exist, and we are stuck with the 3:1 ratio of real:measured failures.
c) Once a user or host has been locked, there does not seem to be any way to unlock the account manually, before the 'purge' time has elapsed.
The locking appears to apply to a particular host, so I don't think this would arise except during testing. Once a host has exeeded it's failed-login limit, I would be reluctant to unlock it at a user's request.
"user locking" appears to be "user-host locking", in that it is not the user's account which gets locked, but a particular user-host combination.
d) It would be useful if the pam_abl command, in addition to the list of failed attempts, would give a clear indication of which hosts and user-hosts are currently black-listed.
e) It might be better if the 'pam_abl -v' command also showed the hostname/ip for each failed user-attempt.
eg: Failed users: george (3) Mon Jan 10 11:22:49 2005 localhost Mon Jan 10 11:22:35 2005 www.example.net Mon Jan 10 11:22:31 2005 localhost
Similar could be applied to "Failed hosts" output, which could show the username for each attempt.
Failed hosts: localhost (1) Mon Jan 10 11:17:14 2005 george
Is there a place for "user-only locking"? Perhaps for a distributed attack on a particular user?
f) The pam_abl command REQUIRES the default-config to be specified, ie: pam_abl /etc/security/pam_abl.conf works, while pam_abl fails. This gets annoying pretty quickly.
g) The "host" field printed by pam_abl seems to be recorded as a an IP address, even though hostnames are printed. It would be nice to have the choice of hostname/IP address for the output.
In it's current form pam_abl is already useful. I am loking forward to seeing future enhancements, and I hope it will be included in the "standard" Linux-pam package in the near future.
Regards, George Hansper
Andy Armstrong wrote:
George Hansper wrote:
Hi,
I've been looking at pam_tally as a means of discouraging "brute force" ssh attacks. I have noticed, like Adam Monsen in a previous e-mail:
http://www.redhat.com/archives/pam-list/2004-October/msg00047.html
that once the maximum password failures has been exceeded,
SSH/PAM still give a clear indication of when you've cracked the right password.
I don't know if it helps but pam_abl[1] produces the same response for blacklisted hosts/users whether or not they supply the correct credentials. It also disables logins based on the originating host rather than the user so accounts that are under attack typically remain usable by their legitimate owner.
[1] http://www.hexten.net/sw/pam_abl/index.mhtml
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
