From owner-freebsd-arch@FreeBSD.ORG  Sat May  1 13:05:18 2010
Return-Path: <owner-freebsd-arch@FreeBSD.ORG>
Delivered-To: freebsd-arch@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 7D794106564A
	for <freebsd-arch@FreeBSD.org>; Sat,  1 May 2010 13:05:18 +0000 (UTC)
	(envelope-from ed@hoeg.nl)
Received: from mx0.hoeg.nl (mx0.hoeg.nl [178.63.0.170])
	by mx1.freebsd.org (Postfix) with ESMTP id F3AAC8FC18
	for <freebsd-arch@FreeBSD.org>; Sat,  1 May 2010 13:05:17 +0000 (UTC)
Received: by mx0.hoeg.nl (Postfix, from userid 1000)
	id C487C2A28CFE; Sat,  1 May 2010 14:45:44 +0200 (CEST)
Date: Sat, 1 May 2010 14:45:44 +0200
From: Ed Schouten <ed@80386.nl>
To: freebsd-arch@FreeBSD.org
Message-ID: <20100501124544.GR56080@hoeg.nl>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="7aQJ/pUO7E0NVzIB"
Content-Disposition: inline
User-Agent: Mutt/1.5.20 (2009-06-14)
Cc: 
Subject: [Extension] utmpx and LOGIN_FAILURE
X-BeenThere: freebsd-arch@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussion related to FreeBSD architecture <freebsd-arch.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
	<mailto:freebsd-arch-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-arch>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Help: <mailto:freebsd-arch-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
	<mailto:freebsd-arch-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 01 May 2010 13:05:18 -0000


--7aQJ/pUO7E0NVzIB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi all,

Some time ago I noticed some operating systems offer an interface called
btmp, which is essentially a wtmp for logging failed login attempts.
Instead of taking the same approach, I'd rather do something as follows:

	http://80386.nl/pub/utmpx-login_failure.diff.txt

This patch adds a new utmpx log entry type called LOGIN_FAILURE.
Unfortunately we are the only operating system that does it this way,
but I suspect if we can already get OpenSSH and PAM to use this
interface, we've got reasonable coverage. The patch only has the
modifications for OpenSSH.

An example of what this looks like:

| $ last | grep failed
| sdlfkjdf            mekker.80386.nl        Sat May  1 14:14   login failed

The idea behind having this, is to make logging of such failed attempts
more generic and easier to obtain. It would be quite nice if
applications like DenyHosts can simply harvest this database using
getutxent(3), instead of using all sorts of regular expressions on the
log files.

Any thoughts on this subject?

--=20
 Ed Schouten <ed@80386.nl>
 WWW: http://80386.nl/

--7aQJ/pUO7E0NVzIB
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (FreeBSD)

iEYEARECAAYFAkvcIngACgkQ52SDGA2eCwW23gCbBAJ3nyAGxVuvVrCk7fCK9dCd
MmMAn3ttAn/Ia2b9w+39ksvUCZxucUm6
=gdUC
-----END PGP SIGNATURE-----

--7aQJ/pUO7E0NVzIB--