pam_tally with sshd: ssh password-based failures not tally'd

George Hansper george-lists at anstat.com.au
Mon Jan 10 00:31:39 UTC 2005 

Hello Andy,

I've downloaded and compiled the pam_abl package.

Basically, it seems to work quite well. I did notice the following:

a) It requires the /etc/ssh/sshd_config setting:
	UsePAM yes
	ChallengeResponseAuthentication no
    for openssh-server 3.9p1-7 (Fedora Core 3/Mandrake 10.1)

b) sshd normally allows 3 tries before kicking the user out of the
    password dialog. This registers as 1 user failure and 1 host failure
    for pam_abl.

    Changing the /etc/ssh/sshd_config setting:
	MaxAuthTries 1
    limits the user to 1 try per TCP connection, and brings pam_abl into
    line with real attempts

    This works for Fedora Core 3 (openssh-server 3.9p1-7)

    For Mandrake 10.1, 'MaxAuthTries N' allows 'N+1' tries, and never allows more
    than 3 tries anyway. 'MaxAuthTries 1' kicks you out before you start!
    I'm reluctant to set 'MaxAuthTries 0', even though this works. I though
    I had Mandrake allowing "N-1" tries, too, though I can't reproduce it for now.

    For Red Hat ES3/WS3 using openssh-server-3.6.1p2, the option MaxAuthTries
    does not exist, and we are stuck with the 3:1 ratio of real:measured
    failures.

c) Once a user or host has been locked, there does not seem to be any
    way to unlock the account manually, before the 'purge' time has elapsed.

    The locking appears to apply to a particular host, so I don't think this
    would arise except during testing. Once a host has exeeded it's failed-login
    limit, I would be reluctant to unlock it at a user's request.

    "user locking" appears to be "user-host locking", in that it is not the
    user's account which gets locked, but a particular user-host combination.

d) It would be useful if the pam_abl command, in addition to the list of
    failed attempts, would give a clear indication of which hosts and user-hosts
    are currently black-listed.

e) It might be better if the 'pam_abl -v' command also showed the hostname/ip
    for each failed user-attempt.

    eg:
	Failed users:
	    george (3)
	        Mon Jan 10 11:22:49 2005  localhost
	        Mon Jan 10 11:22:35 2005  www.example.net
	        Mon Jan 10 11:22:31 2005  localhost

    Similar could be applied to "Failed hosts" output, which could
    show the username for each attempt.

	Failed hosts:
	    localhost (1)
	        Mon Jan 10 11:17:14 2005  george

    Is there a place for "user-only locking"? Perhaps for a distributed attack on
    a particular user?

f) The pam_abl command REQUIRES the default-config to be specified, ie:
	pam_abl /etc/security/pam_abl.conf
    works, while
	pam_abl
    fails. This gets annoying pretty quickly.

g) The "host" field printed by pam_abl seems to be recorded as a
    an IP address, even though hostnames are printed. It would be nice
    to have the choice of hostname/IP address for the output.

In it's current form pam_abl is already useful. I am loking forward to
seeing future enhancements, and I hope it will be included in the
"standard" Linux-pam package in the near future.

Regards,
	George Hansper

Andy Armstrong wrote:
> George Hansper wrote:
> 
>> Hi,
>>
>> I've been looking at pam_tally as a means of discouraging "brute force"
>> ssh attacks. I have noticed, like Adam Monsen in a previous e-mail:
>>
>>    http://www.redhat.com/archives/pam-list/2004-October/msg00047.html
>>
>> that once the maximum password failures has been exceeded,
>> SSH/PAM still give a clear indication of when you've cracked the right 
>> password.
> 
> 
> I don't know if it helps but pam_abl[1] produces the same response for 
> blacklisted hosts/users whether or not they supply the correct 
> credentials. It also disables logins based on the originating host 
> rather than the user so accounts that are under attack typically remain 
> usable by their legitimate owner.
> 
> [1] http://www.hexten.net/sw/pam_abl/index.mhtml
>

More information about the Pam-list mailing list