Date: Sun, 02 May 2010 02:15:04 -0600 (MDT) From: "M. Warner Losh" <imp@bsdimp.com> To: alfred@freebsd.org Cc: ed@80386.nl, freebsd-arch@freebsd.org Subject: Re: [Extension] utmpx and LOGIN_FAILURE Message-ID: <20100502.021504.821837081304738288.imp@bsdimp.com> In-Reply-To: <20100502042314.GV36233@elvis.mu.org> References: <20100501124544.GR56080@hoeg.nl> <20100502042314.GV36233@elvis.mu.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message: <20100502042314.GV36233@elvis.mu.org> Alfred Perlstein <alfred@freebsd.org> writes: : * Ed Schouten <ed@80386.nl> [100501 06:05] wrote: : > Hi all, : > : > Some time ago I noticed some operating systems offer an interface called : > btmp, which is essentially a wtmp for logging failed login attempts. : > Instead of taking the same approach, I'd rather do something as follows: : > : > http://80386.nl/pub/utmpx-login_failure.diff.txt : > : > This patch adds a new utmpx log entry type called LOGIN_FAILURE. : > Unfortunately we are the only operating system that does it this way, : > but I suspect if we can already get OpenSSH and PAM to use this : > interface, we've got reasonable coverage. The patch only has the : > modifications for OpenSSH. : > : > An example of what this looks like: : > : > | $ last | grep failed : > | sdlfkjdf mekker.80386.nl Sat May 1 14:14 login failed : > : > The idea behind having this, is to make logging of such failed attempts : > more generic and easier to obtain. It would be quite nice if : > applications like DenyHosts can simply harvest this database using : > getutxent(3), instead of using all sorts of regular expressions on the : > log files. : > : > Any thoughts on this subject? : : I am obviously not too familiar with this code, but I am worried : that unless done properly we could be vulnerable to DoS or obliterating : records by flooding the logging facility. : : I'm also wondering why we're going to diverge from other *nix, is : there added value to diverging from what others do? Also, we don't want to log usernames that failed to login, I don't think. Or at least make it optional. Otherwise, you'll get records like: sdlfkjdf mekker.80386.nl Sat May 1 14:14 login failed ed mekker.80386.nl Sat May 1 14:14 which makes it a safe bet that ed's password is sdkfkjdf. Warner
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100502.021504.821837081304738288.imp>