Le 23/01/2015 22:52, Rhialto a écrit :
On Wed 21 Jan 2015 at 08:11:59 -0500, Christos Zoulas wrote:
As you can see from the patch, the daemon modification is trivial.
Yes,
I am planning to add this to more daemons (I think I will do named
next
because it is really spammy on my machines), and yes if there is a way
to do this via PAM that would be even better.
Maybe what the pam_af package is doing can be used?
It can even run a program when blocking a host.
The issue with PAM here is that the command will necessarily run under
the user associated with the service, so this means that this user can
alter fw rules (which is quite problematic when it is not root).
Passing file descriptors has the advantage of avoiding confused deputy.
The application cannot pass a connection to blacklistd that was not
accept(2)ed beforehand. Unfortunately PAM API is not helpful here,
pam_handle_t has no field to pass arbitrary data to modules, nor specify
what they can do with it. Blacklisting can also happen in situations
where PAM is not necessarily involved (anonymous LDAP binds that thrash
slapd, krb TGT bruteforce, slowloris kiddies...).
--
Jean-Yves Migeon
