PAM tarpit module for repeated SSH login attempts

To: debian-security@lists.debian.org
Subject: PAM tarpit module for repeated SSH login attempts
From: "Kevin B. McCarty" <kmccarty@Princeton.EDU>
Date: Tue, 19 Oct 2004 14:52:05 -0400
Message-id: <[🔎] 41756255.1050103@princeton.edu>

Hi list,

Having tired of seeing attempts to log in as root via SSH in my logs, I
wrote a quick-and-dirty hack to the pam_tally module in order to
implement a tarpit.  Here's the code: (License is of course GPL)

http://www.princeton.edu/~kmccarty/downloads/pam_tarpit-0.0.1.tar.gz

This will work if you use PAM with SSH, even if you have PermitRootLogin
set to "no" (which should generally be the case anyway).  See the
included README for the lines to add to /etc/pam.d/ssh .  For each
failed login attempt after the first three, the module increases the
amount of time required to wait for the next login attempt by a factor
of two.

Caveat: this module doesn't (yet) implement IP tracking, so there is
some danger of a DoS.  Since the current SSH dictionary attacks appear
only to try cracking root and other non-user accounts, if you don't
permit root to login by SSH anyway, the danger is not so high.  You
might also want to add a cron job to delete the /var/log/faillog file
every so often.

Comments?

-- 
Kevin B. McCarty <kmccarty@princeton.edu>   Physics Department
WWW: http://www.princeton.edu/~kmccarty/    Princeton University
GPG public key ID: 4F83C751                 Princeton, NJ 08544

Reply to:

Follow-Ups:
- Re: PAM tarpit module for repeated SSH login attempts
  - From: martin f krafft <madduck@debian.org>

Prev by Date: Re: [SECURITY] [DSA 567-1] New libtiff packages fix remote code execution
Next by Date: Re: PAM tarpit module for repeated SSH login attempts
Previous by thread: Re: [SECURITY] [DSA 567-1] New libtiff packages fix remote code execution
Next by thread: Re: PAM tarpit module for repeated SSH login attempts
Index(es):
- Date
- Thread