Re: RFS: libpam-abl - PAM module to blacklist hosts/users with many login failures
On Mon, Oct 10, 2005 at 04:44:13PM +0200, Nicolai Ehemann wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello!
>
> I just (err, over the last 4 or 5 days) created a (hopefully
> standards-compliant) package for the pam_abl PAM module.
>
> The pam_abl module provides a fully configurable way to automatically
> blacklist users and/or hosts with many login failures within specified
> intervals of time to be temporarily blacklisted, so that any subsequent
> authentication attempt fails (without disclosing the attacker beeing
> blacklisted). As the number of password guessing attacks on ssh servers
> on the net has strongly grown in the past time, i think this is a useful
> addition to security on hosts exposed to the net.
first off: I did not download or review the code and in the next lines
I will trespass the border to wild guessing and sheer imagination...
What about a "personalized" DoS? If you have remote users on your
machine that need to log in from the internet and if any of those
remote users has a "common" or even worse(?) known login a small botnet
may lead to a DoS for that user. the attacker will just have to user
enough different IPs to create false login-attempts for that user to
make you block valid logins from that user himself.
Possibly a bad idea for a company with some road-warriors...
The configuration and use of such a module should be thought over very
thoroughly.
Kind regards
Horst
--
Murphy's Law is recursive. Washing your car to make it rain doesn't work.
Reply to: