Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 02 May 2010 02:15:04 -0600 (MDT)
From:      "M. Warner Losh" <imp@bsdimp.com>
To:        alfred@freebsd.org
Cc:        ed@80386.nl, freebsd-arch@freebsd.org
Subject:   Re: [Extension] utmpx and LOGIN_FAILURE
Message-ID:  <20100502.021504.821837081304738288.imp@bsdimp.com>
In-Reply-To: <20100502042314.GV36233@elvis.mu.org>
References:  <20100501124544.GR56080@hoeg.nl> <20100502042314.GV36233@elvis.mu.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
In message: <20100502042314.GV36233@elvis.mu.org>
            Alfred Perlstein <alfred@freebsd.org> writes:
: * Ed Schouten <ed@80386.nl> [100501 06:05] wrote:
: > Hi all,
: > 
: > Some time ago I noticed some operating systems offer an interface called
: > btmp, which is essentially a wtmp for logging failed login attempts.
: > Instead of taking the same approach, I'd rather do something as follows:
: > 
: > 	http://80386.nl/pub/utmpx-login_failure.diff.txt
: > 
: > This patch adds a new utmpx log entry type called LOGIN_FAILURE.
: > Unfortunately we are the only operating system that does it this way,
: > but I suspect if we can already get OpenSSH and PAM to use this
: > interface, we've got reasonable coverage. The patch only has the
: > modifications for OpenSSH.
: > 
: > An example of what this looks like:
: > 
: > | $ last | grep failed
: > | sdlfkjdf            mekker.80386.nl        Sat May  1 14:14   login failed
: > 
: > The idea behind having this, is to make logging of such failed attempts
: > more generic and easier to obtain. It would be quite nice if
: > applications like DenyHosts can simply harvest this database using
: > getutxent(3), instead of using all sorts of regular expressions on the
: > log files.
: > 
: > Any thoughts on this subject?
: 
: I am obviously not too familiar with this code, but I am worried
: that unless done properly we could be vulnerable to DoS or obliterating
: records by flooding the logging facility.
: 
: I'm also wondering why we're going to diverge from other *nix, is
: there added value to diverging from what others do?

Also, we don't want to log usernames that failed to login, I don't
think.  Or at least make it optional.  Otherwise, you'll get records
like:

sdlfkjdf            mekker.80386.nl        Sat May  1 14:14   login failed
ed                  mekker.80386.nl        Sat May  1 14:14

which makes it a safe bet that ed's password is sdkfkjdf.

Warner

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100502.021504.821837081304738288.imp>