From owner-freebsd-arch@FreeBSD.ORG Sun May 2 08:20:59 2010 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7EF491065673; Sun, 2 May 2010 08:20:59 +0000 (UTC) (envelope-from imp@bsdimp.com) Received: from harmony.bsdimp.com (bsdimp.com [199.45.160.85]) by mx1.freebsd.org (Postfix) with ESMTP id 3F7358FC12; Sun, 2 May 2010 08:20:59 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by harmony.bsdimp.com (8.14.3/8.14.1) with ESMTP id o428EotX042858; Sun, 2 May 2010 02:14:50 -0600 (MDT) (envelope-from imp@bsdimp.com) Date: Sun, 02 May 2010 02:15:04 -0600 (MDT) Message-Id: <20100502.021504.821837081304738288.imp@bsdimp.com> To: alfred@freebsd.org From: "M. Warner Losh" In-Reply-To: <20100502042314.GV36233@elvis.mu.org> References: <20100501124544.GR56080@hoeg.nl> <20100502042314.GV36233@elvis.mu.org> X-Mailer: Mew version 6.3 on Emacs 22.3 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: ed@80386.nl, freebsd-arch@freebsd.org Subject: Re: [Extension] utmpx and LOGIN_FAILURE X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 May 2010 08:20:59 -0000 In message: <20100502042314.GV36233@elvis.mu.org> Alfred Perlstein writes: : * Ed Schouten [100501 06:05] wrote: : > Hi all, : > : > Some time ago I noticed some operating systems offer an interface called : > btmp, which is essentially a wtmp for logging failed login attempts. : > Instead of taking the same approach, I'd rather do something as follows: : > : > http://80386.nl/pub/utmpx-login_failure.diff.txt : > : > This patch adds a new utmpx log entry type called LOGIN_FAILURE. : > Unfortunately we are the only operating system that does it this way, : > but I suspect if we can already get OpenSSH and PAM to use this : > interface, we've got reasonable coverage. The patch only has the : > modifications for OpenSSH. : > : > An example of what this looks like: : > : > | $ last | grep failed : > | sdlfkjdf mekker.80386.nl Sat May 1 14:14 login failed : > : > The idea behind having this, is to make logging of such failed attempts : > more generic and easier to obtain. It would be quite nice if : > applications like DenyHosts can simply harvest this database using : > getutxent(3), instead of using all sorts of regular expressions on the : > log files. : > : > Any thoughts on this subject? : : I am obviously not too familiar with this code, but I am worried : that unless done properly we could be vulnerable to DoS or obliterating : records by flooding the logging facility. : : I'm also wondering why we're going to diverge from other *nix, is : there added value to diverging from what others do? Also, we don't want to log usernames that failed to login, I don't think. Or at least make it optional. Otherwise, you'll get records like: sdlfkjdf mekker.80386.nl Sat May 1 14:14 login failed ed mekker.80386.nl Sat May 1 14:14 which makes it a safe bet that ed's password is sdkfkjdf. Warner