[RndTbl] Intrusion detection
Gilles Detillieux
grdetil at scrc.umanitoba.ca
Thu May 12 16:02:26 CDT 2005
The denial of service potential is even greater with pam_tally than
with pam_abl. Anyone from anywhere can cause a particular user to be
locked out just by running an attack against that user name. You don't
even need to resort to IP spoofing, because as far as I can tell,
pam_tally doesn't even keep track of IP addresses - it just locks out
usernames that are under attack. Blocking the IP address is a much
saner approach, though yes, the problem of IP spoofing could cause
trouble if dealing with a determined attacker (as opposed to the
automated probing we more commonly see). I believe pam_abl will
blacklist the IP from any service that requires PAM-based
authentication, though it just maintains its own database of IP
addresses and doesn't set up firewall rules to completely block out
access from suspect IPs. I suppose the source could fairly easily be
customized to do that, though.
On Thursday, May 12, 2005, at 15:20 CDT, John Lange wrote:
> Thanks Sean.
>
> Surprising how few tools there are for this purpose.
>
> pam_tally is a start but not really the full solution I was expecting
> to
> find.
>
> The theory is simply that once you see suspicious activity of any kind
> from an IP then there is a good chance that IP is going to scan for
> other holes as well so you'd want to shut them down early.
>
> Of course any automatic firewall based on attack signatures might then
> be subject to denial of service because of IP spoofing so perhaps thats
> why it isn't more common place.
>
> --
> John Lange
> President OpenIT ltd. www.Open-IT.ca (204) 885 0872
> VoIP, Web services, Linux Consulting, Server Co-Location
>
> On Thu, 2005-05-12 at 12:13 -0500, Sean A. Walberg wrote:
>> On Thu, 12 May 2005, Gilles Detillieux wrote:
>>
>>> It mentions pam_abl, which I had happened across just last week, but
>>> haven't tried out yet. It's available here:
>>
>> pam_tally works well to stop brute force attacks against users. It
>> locks
>> accounts out after N attempts, rather than the firewall approach. The
>> benefit, though, is that it's part of the standard RedHat/Fedora
>> install.
>>
>> Sean
--
Gilles R. Detillieux E-mail: <grdetil at scrc.umanitoba.ca>
Spinal Cord Research Centre WWW: http://www.scrc.umanitoba.ca/
Dept. Physiology, U. of Manitoba Winnipeg, MB R3E 3J7 (Canada)
More information about the Roundtable
mailing list