[RndTbl] Intrusion detection

Gilles Detillieux grdetil at scrc.umanitoba.ca
Thu May 12 16:02:26 CDT 2005

The denial of service potential is even greater with pam_tally than 
with pam_abl.  Anyone from anywhere can cause a particular user to be 
locked out just by running an attack against that user name.  You don't 
even need to resort to IP spoofing, because as far as I can tell, 
pam_tally doesn't even keep track of IP addresses - it just locks out 
usernames that are under attack.  Blocking the IP address is a much 
saner approach, though yes, the problem of IP spoofing could cause 
trouble if dealing with a determined attacker (as opposed to the 
automated probing we more commonly see).  I believe pam_abl will 
blacklist the IP from any service that requires PAM-based 
authentication, though it just maintains its own database of IP 
addresses and doesn't set up firewall rules to completely block out 
access from suspect IPs.  I suppose the source could fairly easily be 
customized to do that, though.

On Thursday, May 12, 2005, at 15:20 CDT, John Lange wrote:
> Thanks Sean.
> Surprising how few tools there are for this purpose.
> pam_tally is a start but not really the full solution I was expecting 
> to
> find.
> The theory is simply that once you see suspicious activity of any kind
> from an IP then there is a good chance that IP is going to scan for
> other holes as well so you'd want to shut them down early.
> Of course any automatic firewall based on attack signatures might then
> be subject to denial of service because of IP spoofing so perhaps thats
> why it isn't more common place.
> -- 
> John Lange
> President OpenIT ltd. www.Open-IT.ca (204) 885 0872
> VoIP, Web services, Linux Consulting, Server Co-Location
> On Thu, 2005-05-12 at 12:13 -0500, Sean A. Walberg wrote:
>> On Thu, 12 May 2005, Gilles Detillieux wrote:
>>> It mentions pam_abl, which I had happened across just last week, but
>>> haven't tried out yet.  It's available here:
>> pam_tally works well to stop brute force attacks against users.  It 
>> locks
>> accounts out after N attempts, rather than the firewall approach.  The
>> benefit, though, is that it's part of the standard RedHat/Fedora 
>> install.
>> Sean

Gilles R. Detillieux              E-mail: <grdetil at scrc.umanitoba.ca>
Spinal Cord Research Centre       WWW:    http://www.scrc.umanitoba.ca/
Dept. Physiology, U. of Manitoba  Winnipeg, MB  R3E 3J7  (Canada)

More information about the Roundtable mailing list