Date: Sat, 1 May 2010 21:23:14 -0700 From: Alfred Perlstein <alfred@freebsd.org> To: Ed Schouten <ed@80386.nl> Cc: freebsd-arch@FreeBSD.org Subject: Re: [Extension] utmpx and LOGIN_FAILURE Message-ID: <20100502042314.GV36233@elvis.mu.org> In-Reply-To: <20100501124544.GR56080@hoeg.nl> References: <20100501124544.GR56080@hoeg.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
* Ed Schouten <ed@80386.nl> [100501 06:05] wrote: > Hi all, > > Some time ago I noticed some operating systems offer an interface called > btmp, which is essentially a wtmp for logging failed login attempts. > Instead of taking the same approach, I'd rather do something as follows: > > http://80386.nl/pub/utmpx-login_failure.diff.txt > > This patch adds a new utmpx log entry type called LOGIN_FAILURE. > Unfortunately we are the only operating system that does it this way, > but I suspect if we can already get OpenSSH and PAM to use this > interface, we've got reasonable coverage. The patch only has the > modifications for OpenSSH. > > An example of what this looks like: > > | $ last | grep failed > | sdlfkjdf mekker.80386.nl Sat May 1 14:14 login failed > > The idea behind having this, is to make logging of such failed attempts > more generic and easier to obtain. It would be quite nice if > applications like DenyHosts can simply harvest this database using > getutxent(3), instead of using all sorts of regular expressions on the > log files. > > Any thoughts on this subject? I am obviously not too familiar with this code, but I am worried that unless done properly we could be vulnerable to DoS or obliterating records by flooding the logging facility. I'm also wondering why we're going to diverge from other *nix, is there added value to diverging from what others do? -- - Alfred Perlstein .- AMA, VMOA #5191, 03 vmax, 92 gs500, 85 ch250, 07 zx10 .- FreeBSD committer
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100502042314.GV36233>