Re: RFS: libpam-abl - PAM module to blacklist hosts/users with many login failures

To: debian-security@lists.debian.org
Subject: Re: RFS: libpam-abl - PAM module to blacklist hosts/users with many login failures
From: Nicolai Ehemann <en@enlightened.de>
Date: Tue, 11 Oct 2005 21:01:50 +0200
Message-id: <[🔎] 434C0C1E.8010408@enlightened.de>
In-reply-to: <[🔎] 20051011154900.GA28572@javifsp.no-ip.org>
References: <[🔎] 434A7E3D.3000009@enlightened.de> <[🔎] 20051011154900.GA28572@javifsp.no-ip.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Javier Fernández-Sanguino Peña wrote:

>>The pam_abl module provides a fully configurable way to automatically
>>blacklist users and/or hosts with many login failures within specified
>>intervals of time to be temporarily blacklisted, so that any subsequent
>>authentication attempt fails (without disclosing the attacker beeing
>>blacklisted). As the number of password guessing attacks on ssh servers
> I don't think it is that useful, for the reasons outlined at
> http://lists.debian.org/debian-security/2004/10/msg00133.html,
> you can end up DoSing your legitimate users.
I agree with you in that simply blacklisting users in general is not a
good idea. On the other hand, blacklisting users can be restricted to a
specific list of users, or to *not* to be done for a specific list of
users, and can in condition intervals and blacklist duration be
configured seperately for every user, which can make sense in
specialized environments.
Last but not least, user blacklisting can be disabled completely in this
pam module.

> Blacklisting hosts might make sense (on the Internet, not internally),
> blacklisting users doesn't. And, in either case, it makes much more sense to
> just prevent exposure by preventing access to your SSH server by blocking per
> IP address (either with a packet filter or tcp-wrappers), through use of
> knockd, or by doing these _and_ moving the server to a non-standar port so it
> does not get probed at all.
Certainly, you are right. Unfortunaly, there are multiple cenarios in
which it is not possible to block access to the ssh server, use
portknocking or even move the ssh server to a non-standard port.
Apart from that, the pam_abl module can not only be used with ssh, but
with any service accessible via network. With the same or with different
databases and/or configurations. So there might well be other uses for
the module.

Greets, Nico
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQFDTAweYm+MkvsfJ58RAmpEAJoC9Knd3jEuVFHVoOvNCtTm+FjqZwCgzKTs
Yp07hqWUEsWASZSjov4M7WI=
=Z54P
-----END PGP SIGNATURE-----

Reply to:

References:
- RFS: libpam-abl - PAM module to blacklist hosts/users with many login failures
  - From: Nicolai Ehemann <en@enlightened.de>
- Re: RFS: libpam-abl - PAM module to blacklist hosts/users with many login failures
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>

Prev by Date: Re: RFS: libpam-abl - PAM module to blacklist hosts/users with many login failures
Next by Date: Re: JCE Code Signing Certificate
Previous by thread: Re: RFS: libpam-abl - PAM module to blacklist hosts/users with many login failures
Next by thread: Re: RFS: libpam-abl - PAM module to blacklist hosts/users with many login failures
Index(es):
- Date
- Thread