stass / pam_af Goto Github PK
View Code? Open in Web Editor NEWAnti-bruteforce PAM module
Home Page: http://mbsd.msk.ru/stas/pam_af.html
Anti-bruteforce PAM module
Home Page: http://mbsd.msk.ru/stas/pam_af.html
I was attempting to periodically unlock old blocks and restore locks on startup using following crontab entries:
*/5 * * * * root /usr/local/sbin/pam_af_tool unlock > /dev/null 2>&1
@reboot root /usr/local/sbin/pam_af_tool lock
Unfortunately sometimes it will hang in the resolver and I think block db thus blocking further invocations. For some reason it will also eat 100% of cpu and hang like that forever.
Maybe host stats should include ip address to avoid using resolver for above operations (in addition to fixing whatever causes it to hang) ?
It should be noted in documentation that it doesn't work with sshd as one would expect.
OpenSSH will not invoke PAM if a user does not exist, see openssh-portable/1215. Also it won't be invoked for disallowed and password-less authentication schemes.
An option could be added to sshd to invoke pam_authenticate with invalid/empty password in case of earlier failure.
When compiled with default flags on FreeBSD (-O2) it will crash while unlocking this list: https://gist.github.com/1378993.
# env LD_PRELOAD=/home/obj/usr/src/lib/libc/libc.so.7 pam_af_tool/pam_af_tool unlock
Segmentation fault (core dumped)
# gdb73.1 pam_af_tool/pam_af_tool pam_af_tool.core
GNU gdb (GDB) 7.3.1 [GDB v7.3.1 for FreeBSD]
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i386-portbld-freebsd8.2".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/pub/freebsd/ports.build/ghost/usr/ports/security/pam_af/work/pam_af-1.0.2/pam_af_tool/pam_af_tool...done.
[New process 100106]
Core was generated by `pam_af_tool'.
Program terminated with signal 11, Segmentation fault.
#0 0x281107c6 in arena_run_reg_dalloc (run=0x2822b000, bin=0x804dc00, ptr=0x2822b050, size=0) at /usr/src/lib/libc/stdlib/malloc.c:2544
2544 run->regs_mask[elm] |= (1U << bit);
(gdb) bt full
#0 0x281107c6 in arena_run_reg_dalloc (run=0x2822b000, bin=0x804dc00, ptr=0x2822b050, size=0) at /usr/src/lib/libc/stdlib/malloc.c:2544
diff = 4160431152
regind = 4160431152
elm = 130013473
bit = 16
log2_table = "\000\001\000\002\000\000\000\003\000\000\000\000\000\000\000\004", '\000' <repeats 15 times>, "\005", '\000' <repeats 31 times>, "\006", '\000' <repeats 63 times>, "\a"
qsize_invs = {43691, 32769, 26215, 21846, 18725}
csize_invs = {10923, 8193, 6554, 5462, 4682}
ssize_invs = {2731, 2049, 1639, 1366, 1171, 1025, 911, 820, 745, 683, 631, 586, 547}
#1 0x28110486 in arena_dalloc_small (arena=0x804dbf0, chunk=0x28200000, ptr=0x2822b050, mapelm=0x28200214) at /usr/src/lib/libc/stdlib/malloc.c:3625
run = 0x2822b000
bin = 0x804dc00
size = 0
#2 0x28111351 in arena_dalloc (arena=0x804dbf0, chunk=0x28200000, ptr=0x2822b050) at /usr/src/lib/libc/stdlib/malloc.c:3872
pageind = 43
mapelm = 0x28200214
#3 0x28111207 in idalloc (ptr=0x2822b050) at /usr/src/lib/libc/stdlib/malloc.c:3890
chunk = 0x28200000
#4 0x28114065 in free (ptr=0x2822b050) at /usr/src/lib/libc/stdlib/malloc.c:5479
No locals.
#5 0x0804ac27 in handle_unlock (argc=1, argv=0xbfbfe9a0) at ./pam_af_tool/pam_af_tool.c:1170
host = 0x0
flags = 0
ret = <optimized out>
ch = <optimized out>
hosts = 0x2822b058
hosts0 = 0x2822b050
hstp = <optimized out>
#6 0x0804b2da in main (argc=1, argv=0xbfbfe99c) at ./pam_af_tool/pam_af_tool.c:170
No locals.
(gdb) up 5
#5 0x0804ac27 in handle_unlock (argc=1, argv=0xbfbfe9a0) at ./pam_af_tool/pam_af_tool.c:1170
1170 free(hosts0);
(gdb) p hosts0
$1 = (struct host_list *) 0x2822b050
(gdb) p *hosts0
$2 = {host = 0x28229bb0 "2002:4e08:934d:0:dddd:6f1d:c9dc:459a", next = 0x2822b058}
With -O it works fine.
BTW. your makefile has hardcoded cflags and ignores whatever is passed by ports.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.