Bug#333081: libpam-abl ITP (update)

To: 333081@bugs.debian.org
Cc: Eric Evans <eevans@debian.org>
Subject: Bug#333081: libpam-abl ITP (update)
From: Chad Walstrom <chewie@wookimus.net>
Date: Wed, 22 Mar 2006 09:39:06 -0600
Message-id: <[🔎] 20060322153906.1486023C6@skuld.wookimus.net>
Reply-to: Chad Walstrom <chewie@wookimus.net>, 333081@bugs.debian.org

OK.  Note the debug output for pam_abl on my amd64 system:

  DEBUG: /etc/security/pam_abl.conf:
  host_db=/var/lib/libpam-abl/hosts.db
  DEBUG: /etc/security/pam_abl.conf: host_purge=2d
  DEBUG: /etc/security/pam_abl.conf: host_rule=*:10/1h,30/1d
  DEBUG: /etc/security/pam_abl.conf:
  user_db=/var/lib/libpam-abl/users.db
  DEBUG: /etc/security/pam_abl.conf: user_purge=2d
  DEBUG: /etc/security/pam_abl.conf: user_rule=!root:10/1h,30/1d
  Failed users:
      admin (1)
  DEBUG: matchperiod(0x50a380, 1, '10/1h,30/1d')
  DEBUG: count is 10, **rp='/'
  DEBUG: period is 3600, **rp=','
  DEBUG: Checking 10/3600
  DEBUG: howmany(3600) = 0
  DEBUG: matchperiod(0x50a380, 1, '30/1d')
  DEBUG: count is 30, **rp='/'
  DEBUG: period is 86400, **rp=''
  DEBUG: Checking 30/86400
  DEBUG: howmany(86400) = 0
	  Not blocking
      root (34)
  DEBUG: matchperiod(0x50a400, 34, '10/1h,30/1d')
  DEBUG: count is 10, **rp='/'
  DEBUG: period is 3600, **rp=','
  DEBUG: Checking 10/3600
  DEBUG: howmany(3600) = 0
  DEBUG: matchperiod(0x50a400, 34, '30/1d')
  DEBUG: count is 30, **rp='/'
  DEBUG: period is 86400, **rp=''
  DEBUG: Checking 30/86400
  DEBUG: howmany(86400) = 0
	  Not blocking
  Failed hosts:
      221.0.185.126 (35)
  DEBUG: matchperiod(0x50a380, 35, '10/1h,30/1d')
  DEBUG: count is 10, **rp='/'
  DEBUG: period is 3600, **rp=','
  DEBUG: Checking 10/3600
  DEBUG: howmany(3600) = 0
  DEBUG: matchperiod(0x50a380, 35, '30/1d')
  DEBUG: count is 30, **rp='/'
  DEBUG: period is 86400, **rp=''
  DEBUG: Checking 30/86400
  DEBUG: howmany(86400) = 0
	  Not blocking

So, it lookes like host 221.0.185.126 attempted to break in with 35
attempts, one to admin and 34 to root.  My limits are actually quite
high given the attack pattern.  It's possible that this host spaced
the attack out over a few days.  I'll have to check the auth logs to
verify.  Note, though, that "admin" was accounted for, even though it
doesn't exist on the system.

  $ id admin
  id: admin: No such user

My sshd_config file has "UsePAM yes" in the last stack, but doesn't
have any AllowedUsers or AllowedGroupsspecified and
"PasswordAuthentication no" is set.

My pam stack for ssh is:

  # Standard Un*x authentication.
  auth    required        pam_abl.so config=/etc/security/pam_abl.conf
  @include common-auth

(Oh, and I take it back.  I actually did write up a manpage for the
command-line utility, transliterating it from the HTML page provided
by upstream.  I hadn't gotten to the point of making the pam_abl.so.5
page.)

As far as purging is concerned, a cron job can be created to perform
the purge on a daily or sub-daily basis.  Autopurge isn't necessarily
needed.  For performance reasons, I wouldn't care to have it do so
anyway.  A unix-socket daemon that accepts events from the pam_abl.so
module might be a good way to add this functionality without incurring
a performance/latency hit during authentication.

-- 
Chad Walstrom <chewie@wookimus.net>           http://www.wookimus.net/
           assert(expired(knowledge)); /* core dump */

Reply to:

Prev by Date: Bug#354012: Adoption of python-xml
Next by Date: Bug#333081: libpam-abl ITP (update)
Previous by thread: Bug#354012: Adoption of python-xml
Next by thread: Bug#358405: ITP: bibledit - bible translation editor
Index(es):
- Date
- Thread