On Wed, Oct 20, 2004 at 06:04:29PM +0200, Javier Fernández-Sanguino Peña wrote:
To tarpit remote password/login attempts I think it would be best
if you just tarpited remote attempts for _invalid_ users which I believe
you are currently not accounting for. Notice that even if there are
also sprach Giacomo Mulas [EMAIL PROTECTED] [2004.10.20.1452 +0200]:
no, but you can obtain the real tarpit(TM) effect, and you don't
have any processes left sleeping. Anyway, it was just a suggestion
I did not mean to criticize anybody's work.
the real tarpit effect actually establishes a
On Thu, 21 Oct 2004, martin f krafft wrote:
the real tarpit effect actually establishes a connection, not just
DROP it. so no, iptables would not give a real tarpit effect.
I *think* there is a patch to netfilter in patch-o-matic which does add
real tarpit support as a target, whereby indeed the
also sprach Kevin B. McCarty [EMAIL PROTECTED] [2004.10.20.0245 +0200]:
Well, I'm certainly not an expert either, this was my first
attempt at playing with PAM.
It's better than what I could have done...
Even if it isn't really a tarpit, it's a nice way to limit the
rate of cracking
On Wed, Oct 20, 2004 at 11:50:07AM +0200, martin f krafft wrote:
For a tarpit, the best thing to do would be simply to drop the
connection without sending a FIN or RST packet. I don't know if PAM
can do this.
Otherwise, just hold the connection open for several minutes and do
nothing. After
On Wed, Oct 20, 2004 at 01:27:36PM +0200, Martin Reising wrote:
On Wed, Oct 20, 2004 at 11:50:07AM +0200, martin f krafft wrote:
For a tarpit, the best thing to do would be simply to drop the
connection without sending a FIN or RST packet. I don't know if PAM
can do this.
Otherwise, just hold the
On Wed, Oct 20, 2004 at 02:30:37PM +0200, Giacomo Mulas wrote:
What about using the tarpit netfilter module (which is in the
patch-o-matic of netfilter) to do the dirty work and have the pam module
simply insert/remove firewalling rules? It sounds more like the *nix way
of doing things, with
On Wed, Oct 20, 2004 at 07:55:00AM -0400, Michael Stone wrote:
Well, it is assumed that running a pam module will have some side effect
aside from returning PAM_SUCCESS or PAM_ERR. The fin/rst stuff isn't
possible, but just holding the connection open can easily achived by
running sleep(3) in
On Wed, 20 Oct 2004, Michael Stone wrote:
Inserting and removing firewall rules is simpler than sleeping?
no, but you can obtain the real tarpit(TM) effect, and you don't have any
processes left sleeping. Anyway, it was just a suggestion I did not mean
to criticize anybody's work.
bye
Giacomo
On Wed, Oct 20, 2004 at 02:43:43PM +0200, Martin Reising wrote:
Yes, it looks like an easy solution, but remembering the ip connection
count, to calculate the sleeptime, should be taken inside the application
and not inside the module, IMHO.
You'd then have to implement it in every application
Hi list,
Having tired of seeing attempts to log in as root via SSH in my logs, I
wrote a quick-and-dirty hack to the pam_tally module in order to
implement a tarpit. Here's the code: (License is of course GPL)
http://www.princeton.edu/~kmccarty/downloads/pam_tarpit-0.0.1.tar.gz
This will work
martin f. krafft wrote:
Nice, though it does not look like a tarpit... instead, it just
doesn't respond to requests. A tarpit would start the connection
and hold it instead. Maybe I misunderstand the code, I am not really
a PAM hacker.
Well, I'm certainly not an expert either, this was my
12 matches
Mail list logo