On Tue, 11 Feb 2003, Wesley Peters wrote:
> On Monday 10 February 2003 23:59, Dag-Erling Smorgrav wrote: > > Did we somehow break acct(2), or is that somehow inadequate to the task? It > should be ideal for what Julian's customer wants, I would think. See also > acct(5), sa(8) and accton(8). Acct doesn't give the arguments of the commands rexec (as pointed out earlier in this thread) does exactly what I want. e.g. (sorry about the linewrap) Feb 11 16:15:00 julian /kernel: restricted execve [init] Feb 11 16:15:00 julian /kernel: $Id: rexec.c,v 1.2 2002/08/26 13:20:05 dawidek Exp $ Feb 11 16:15:31 julian /kernel: rexec: [/usr/bin/tail] tail -f /var/log/messages (called by csh [95318]) (uid=0, gid=0, euid=0, egid=0) Feb 11 16:15:58 julian /kernel: rexec: [/bin/ls] ls -laR /usr/local/bin /usr/local/lib (called by tcsh [95319]) (uid=1000, gid=1000, euid=1000, egid=1000) Feb 11 16:16:09 julian /kernel: rexec: [/usr/bin/vi] vi /etc/passwd (called by tcsh [95320]) (uid=1000, gid=1000, euid=1000, egid=1000) Feb 11 16:16:48 julian /kernel: rexec: [/usr/bin/su] su (called by tcsh [95321]) (uid=1000, gid=1000, euid=1000, egid=1000) Feb 11 16:16:50 julian su: julian to root on /dev/ttyp9 Feb 11 16:16:50 julian /kernel: rexec: [/bin/csh] _su (called by su [95321]) (uid=0, gid=0, euid=0, egid=0) Feb 11 16:16:50 julian /kernel: rexec: [/bin/hostname] hostname -s (called by csh [95322]) (uid=0, gid=0, euid=0, egid=0) Feb 11 16:16:59 julian /kernel: rexec: [/sbin/kldunload] kldunload rexec (called by csh [95323]) (uid=0, gid=0, euid=0, egid=0) Feb 11 16:16:59 julian /kernel: restricted execve [unload] > > > > 2/ they want to disable a login if it fails 'n' sequential logins > > > anywhere in the system. i.e. 2 on one machine followed by another on > > > another machine. > > > > "Yes we can do that" with a smart PAM module. > > VAX/VMS had something known as 'breakin evasion mode' on terminal devices: > if more than X login attempts were noted in Y seconds, the system would > delay an ever-increasing amount of time before it would issue the next > login prompt. I vaguely remember encountering this on a unix system too.. what they want though is the same thing, over a whole network of machines.. i.e teh 'N' login attempts don;t have to be on the same machine for the patern to be noticed. We have this here using RSA "ACE" tokens, but we needn't go so far as that.. a radius server could keep track of successes and failures.. and pam_radius could hook it into all teh apps. > > It would be straightforward to implement this on any authentication server, > simply note the 'breakin attempt' and slow responses to the being attacked. > I've not looked at any such servers for many years, but Radius certainly > seemed simple enough to do this quickly in 1998. yes. > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
