[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PAM tarpit module for repeated SSH login attempts

martin f. krafft wrote:

> Nice, though it does not look like a tarpit... instead, it just
> doesn't respond to requests. A tarpit would start the connection
> and hold it instead. Maybe I misunderstand the code, I am not really
> a PAM hacker.

Well, I'm certainly not an expert either, this was my first attempt at
playing with PAM.  Even if it isn't really a tarpit, it's a nice way to
limit the rate of cracking attempts via SSH -- with each incorrect
password, the attacker has to wait a factor of 2 longer before s/he
knows whether or not the attempt was successful.  And this should be a
discouragement to the brute-force attacks we've been seeing a lot lately.

> It would be nice to have it actually tarpit multiple attempts from
> the same IP. Once you have implemented this, I would be happy to
> package this for Debian, since it's a really nice tool!

Yep, this is definitely the plan in the medium future.  One issue is
that PAM doesn't seem to have a good way to get the remote IP, only the
remote host (or to be more accurate, the application is supposed to tell
PAM a remote hostname / IP address, and then PAM modules can only obtain
whichever of these the application deigned to provide).  SSH provides
the remote hostname, but maybe this is good enough?

> May I suggest something? Instead of tallying attempts for a single
> account, why not tally attempts *from* a single IP?

Hmm, do you think it would be reasonable then to not bother tracking
attempts per-user, only per-remote-machine?

p.s. I apologize for breaking the thread, I'm replying via the mailing
list archive and using Thunderbird ( http://bugs.debian.org/268055 ).

Kevin B. McCarty <kmccarty@princeton.edu>   Physics Department
WWW: http://www.princeton.edu/~kmccarty/    Princeton University
GPG public key ID: 4F83C751                 Princeton, NJ 08544

Reply to: