[Extension] utmpx and LOGIN_FAILURE
M. Warner Losh
imp at bsdimp.com
Sun May 2 08:20:59 UTC 2010
In message: <20100502042314.GV36233 at elvis.mu.org>
Alfred Perlstein <alfred at freebsd.org> writes:
: * Ed Schouten <ed at 80386.nl> [100501 06:05] wrote:
: > Hi all,
: >
: > Some time ago I noticed some operating systems offer an interface called
: > btmp, which is essentially a wtmp for logging failed login attempts.
: > Instead of taking the same approach, I'd rather do something as follows:
: >
: > http://80386.nl/pub/utmpx-login_failure.diff.txt
: >
: > This patch adds a new utmpx log entry type called LOGIN_FAILURE.
: > Unfortunately we are the only operating system that does it this way,
: > but I suspect if we can already get OpenSSH and PAM to use this
: > interface, we've got reasonable coverage. The patch only has the
: > modifications for OpenSSH.
: >
: > An example of what this looks like:
: >
: > | $ last | grep failed
: > | sdlfkjdf mekker.80386.nl Sat May 1 14:14 login failed
: >
: > The idea behind having this, is to make logging of such failed attempts
: > more generic and easier to obtain. It would be quite nice if
: > applications like DenyHosts can simply harvest this database using
: > getutxent(3), instead of using all sorts of regular expressions on the
: > log files.
: >
: > Any thoughts on this subject?
:
: I am obviously not too familiar with this code, but I am worried
: that unless done properly we could be vulnerable to DoS or obliterating
: records by flooding the logging facility.
:
: I'm also wondering why we're going to diverge from other *nix, is
: there added value to diverging from what others do?
Also, we don't want to log usernames that failed to login, I don't
think. Or at least make it optional. Otherwise, you'll get records
like:
sdlfkjdf mekker.80386.nl Sat May 1 14:14 login failed
ed mekker.80386.nl Sat May 1 14:14
which makes it a safe bet that ed's password is sdkfkjdf.
Warner
More information about the freebsd-arch
mailing list