Re: PAM tarpit module for repeated SSH login attempts
martin f. krafft wrote:
> Nice, though it does not look like a tarpit... instead, it just
> doesn't respond to requests. A tarpit would start the connection
> and hold it instead. Maybe I misunderstand the code, I am not really
> a PAM hacker.
Well, I'm certainly not an expert either, this was my first attempt at
playing with PAM. Even if it isn't really a tarpit, it's a nice way to
limit the rate of cracking attempts via SSH -- with each incorrect
password, the attacker has to wait a factor of 2 longer before s/he
knows whether or not the attempt was successful. And this should be a
discouragement to the brute-force attacks we've been seeing a lot lately.
> It would be nice to have it actually tarpit multiple attempts from
> the same IP. Once you have implemented this, I would be happy to
> package this for Debian, since it's a really nice tool!
Yep, this is definitely the plan in the medium future. One issue is
that PAM doesn't seem to have a good way to get the remote IP, only the
remote host (or to be more accurate, the application is supposed to tell
PAM a remote hostname / IP address, and then PAM modules can only obtain
whichever of these the application deigned to provide). SSH provides
the remote hostname, but maybe this is good enough?
> May I suggest something? Instead of tallying attempts for a single
> account, why not tally attempts *from* a single IP?
Hmm, do you think it would be reasonable then to not bother tracking
attempts per-user, only per-remote-machine?
p.s. I apologize for breaking the thread, I'm replying via the mailing
list archive and using Thunderbird ( http://bugs.debian.org/268055 ).
Kevin B. McCarty <email@example.com> Physics Department
WWW: http://www.princeton.edu/~kmccarty/ Princeton University
GPG public key ID: 4F83C751 Princeton, NJ 08544