[Extension] utmpx and LOGIN_FAILURE

Alfred Perlstein alfred at freebsd.org
Sun May 2 04:23:20 UTC 2010


* Ed Schouten <ed at 80386.nl> [100501 06:05] wrote:
> Hi all,
> 
> Some time ago I noticed some operating systems offer an interface called
> btmp, which is essentially a wtmp for logging failed login attempts.
> Instead of taking the same approach, I'd rather do something as follows:
> 
> 	http://80386.nl/pub/utmpx-login_failure.diff.txt
> 
> This patch adds a new utmpx log entry type called LOGIN_FAILURE.
> Unfortunately we are the only operating system that does it this way,
> but I suspect if we can already get OpenSSH and PAM to use this
> interface, we've got reasonable coverage. The patch only has the
> modifications for OpenSSH.
> 
> An example of what this looks like:
> 
> | $ last | grep failed
> | sdlfkjdf            mekker.80386.nl        Sat May  1 14:14   login failed
> 
> The idea behind having this, is to make logging of such failed attempts
> more generic and easier to obtain. It would be quite nice if
> applications like DenyHosts can simply harvest this database using
> getutxent(3), instead of using all sorts of regular expressions on the
> log files.
> 
> Any thoughts on this subject?

I am obviously not too familiar with this code, but I am worried
that unless done properly we could be vulnerable to DoS or obliterating
records by flooding the logging facility.

I'm also wondering why we're going to diverge from other *nix, is
there added value to diverging from what others do?




-- 
- Alfred Perlstein
.- AMA, VMOA #5191, 03 vmax, 92 gs500, 85 ch250, 07 zx10
.- FreeBSD committer


More information about the freebsd-arch mailing list