[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PAM tarpit module for repeated SSH login attempts

also sprach Kevin B. McCarty <kmccarty@Princeton.EDU> [2004.10.20.0245 +0200]:
> Well, I'm certainly not an expert either, this was my first
> attempt at playing with PAM. 

It's better than what I could have done...

> Even if it isn't really a tarpit, it's a nice way to limit the
> rate of cracking attempts via SSH -- with each incorrect password,
> the attacker has to wait a factor of 2 longer before s/he knows
> whether or not the attempt was successful.  And this should be
> a discouragement to the brute-force attacks we've been seeing
> a lot lately.

True, but as you said yourself too, there is also the risk of a DoS.

For a tarpit, the best thing to do would be simply to drop the
connection without sending a FIN or RST packet. I don't know if PAM
can do this.

Otherwise, just hold the connection open for several minutes and do
nothing. After that time, send a RST or just drop it from the table.

> Yep, this is definitely the plan in the medium future.  One issue
> is that PAM doesn't seem to have a good way to get the remote IP,
> only the remote host (or to be more accurate, the application is
> supposed to tell PAM a remote hostname / IP address, and then PAM
> modules can only obtain whichever of these the application deigned
> to provide).  SSH provides the remote hostname, but maybe this is
> good enough?

How is that obtained? A reverse lookup? AFAICT, this should be
enough for our purposes. Nevertheless, it does make DoS attacks
easier again... for those that have access to their PTR records. The
majority do not, and if they do, they are risking it big time.

> > May I suggest something? Instead of tallying attempts for
> > a single account, why not tally attempts *from* a single IP?
> Hmm, do you think it would be reasonable then to not bother
> tracking attempts per-user, only per-remote-machine?

Well, since you implemented it already, why not make it
configurable. I think per-IP makes more sense. If an IP tries 50
times to guess my root password, I should not only try to stop it,
I should also not be naive and let it try the same thing on other

About the thread, the easiest to do to keep the thread is to copy
the Message-Id and References header to the new message, Rename
Message-Id to In-Reply-To, and add the contents of the field to the
end of the References field.

Please do not CC me when replying to lists; I read them!
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer, admin, and user
`. `'`
  `-  Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!

Attachment: signature.asc
Description: Digital signature

Reply to: