-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Philip Yarra wrote: > I was looking at pam_abl to deflect SSH brute force attacks. Let me know how > you get on with it. I'm very pleased with it so far. It works at the auth level of pam, so blocked users don't get a different error message if they get their password right (unlike the version of pam_tally on my system!). The only slight problem is that pam_abl will only run as root but I also wanted to use it to protect httpd and php authentications which run as apache - so I removed the root check from the source code and made the database files world accessible. Not perfect, but my users don't have shell access and get placed in a chroot jail when they transfer files so, hopefully, they won't be able to access the db files! Alternatively, you could create a separate authentication group, make the db files g+rw and then add any system users that perform authentication to this group... I'd recommend that you give pam_abl a go! If you need a hand to get it working with services that authenticate while non-root, let me know and I'll send you details of my modification. Take care, Ben -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQIVAwUBQ0MXHegNmph0Y1E2AQIbhw/9HbLpE2cOxKPcfwaDMqcIT1PGsOYIEdu2 S7Cvc50zQLAHOMseF+ih8LWBqR4rRVT0iJC8ZHPJdzCkyNQPaz+MIKeaFK0KEVcM jJJagHejOITzCtQ9Gj3ycpbB24ljs6tHvzt3Dc7+1jD7R0BANBafoRhCIfH+Iaot IMLx8G9CdcEs83aswXSSDliJD7nxUDXgHCRJfoFTdnir9IP3GkvOOVcfyZimTHNm rOF0H0L8cigIwI+k//lNqV2Eg2+QixNIuFExww3qWwfXejVaPJg63egtuzR9N5Gb OzP/KJkeKy4Mz66xvhfORTFnEETXLH16Y333Ml1BxDkKJ9dTZSi5tm/l/nXtffFm KrCRnsV7XRXp8Vf6LulgouxJpovfdqfPuiteXumHepvQ3MUA+7oRIEAyn791cMVm mNk88jQXHQSmv2KVmC0KUKkwRsaQDR/vryToOopS57+oAcDgJ+AtVVQsmFNb7gme f93prZfylA6IOnXv/puQno/0FENTHtFRCN7hvLJraDajIVnY+Htl3neKTrSrSY+H 5AfDvCuxYSesInuReP/dM1FTyiUtF37srqnZASvQChwmOYdH2YtcX41NGCfAigjO MS3sS+qTXSmT0BjILudGZff3tKXc8GF+BBcK4q9Xjo8D0IseRC6QtARoTkKK1p0l uK8URUFrhpU= =0v0O -----END PGP SIGNATURE----- _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
