martin f. krafft wrote: > Nice, though it does not look like a tarpit... instead, it just > doesn't respond to requests. A tarpit would start the connection > and hold it instead. Maybe I misunderstand the code, I am not really > a PAM hacker.
Well, I'm certainly not an expert either, this was my first attempt at playing with PAM. Even if it isn't really a tarpit, it's a nice way to limit the rate of cracking attempts via SSH -- with each incorrect password, the attacker has to wait a factor of 2 longer before s/he knows whether or not the attempt was successful. And this should be a discouragement to the brute-force attacks we've been seeing a lot lately. > It would be nice to have it actually tarpit multiple attempts from > the same IP. Once you have implemented this, I would be happy to > package this for Debian, since it's a really nice tool! Yep, this is definitely the plan in the medium future. One issue is that PAM doesn't seem to have a good way to get the remote IP, only the remote host (or to be more accurate, the application is supposed to tell PAM a remote hostname / IP address, and then PAM modules can only obtain whichever of these the application deigned to provide). SSH provides the remote hostname, but maybe this is good enough? > May I suggest something? Instead of tallying attempts for a single > account, why not tally attempts *from* a single IP? Hmm, do you think it would be reasonable then to not bother tracking attempts per-user, only per-remote-machine? p.s. I apologize for breaking the thread, I'm replying via the mailing list archive and using Thunderbird ( http://bugs.debian.org/268055 ). -- Kevin B. McCarty <[EMAIL PROTECTED]> Physics Department WWW: http://www.princeton.edu/~kmccarty/ Princeton University GPG public key ID: 4F83C751 Princeton, NJ 08544 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]