[Extension] utmpx and LOGIN_FAILURE
Alfred Perlstein
alfred at freebsd.org
Sun May 2 04:23:20 UTC 2010
* Ed Schouten <ed at 80386.nl> [100501 06:05] wrote:
> Hi all,
>
> Some time ago I noticed some operating systems offer an interface called
> btmp, which is essentially a wtmp for logging failed login attempts.
> Instead of taking the same approach, I'd rather do something as follows:
>
> http://80386.nl/pub/utmpx-login_failure.diff.txt
>
> This patch adds a new utmpx log entry type called LOGIN_FAILURE.
> Unfortunately we are the only operating system that does it this way,
> but I suspect if we can already get OpenSSH and PAM to use this
> interface, we've got reasonable coverage. The patch only has the
> modifications for OpenSSH.
>
> An example of what this looks like:
>
> | $ last | grep failed
> | sdlfkjdf mekker.80386.nl Sat May 1 14:14 login failed
>
> The idea behind having this, is to make logging of such failed attempts
> more generic and easier to obtain. It would be quite nice if
> applications like DenyHosts can simply harvest this database using
> getutxent(3), instead of using all sorts of regular expressions on the
> log files.
>
> Any thoughts on this subject?
I am obviously not too familiar with this code, but I am worried
that unless done properly we could be vulnerable to DoS or obliterating
records by flooding the logging facility.
I'm also wondering why we're going to diverge from other *nix, is
there added value to diverging from what others do?
--
- Alfred Perlstein
.- AMA, VMOA #5191, 03 vmax, 92 gs500, 85 ch250, 07 zx10
.- FreeBSD committer
More information about the freebsd-arch
mailing list