-   Linux - Security (
-   -   Disable PAM reverse lookups? (

TBKDan 08-17-2007 08:22 AM

Disable PAM reverse lookups?
First off, I'm using CentOS 5. I've got a vsftpd server running and I'm trying to get fail2ban to ban anybody who failed 5 times. This works, except for people who have incorrect pointer records for their IP address. PAM looks it up, places it in the /var/log/secure, and fail2ban cannot resolve it, so it cannot ban it. An example log output is:

vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator

I want to have the output of just the IP address so that these friggin morons can get banned properly. This is a Linux box, not Windows... 5000+ failed logins for Administrator is just sad. If anybody has any ideas, please let me know :) Thanks! Here's some more info:

# cat /etc/pam.d/vsftpd
session optional force revoke
auth required item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth required
auth include system-auth
account include system-auth
session include system-auth
session required

# cat /etc/pam.d/system-auth
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required
auth sufficient nullok try_first_pass
auth requisite uid >= 500 quiet
auth required
account required
account sufficient uid < 500 quiet
account required
password requisite try_first_pass retry=3
password sufficient md5 shadow nullok try_first_pass use_authtok
password required
session optional revoke
session required
session [success=1 default=ignore] service in crond quiet use_uid
session required

unSpawn 08-20-2007 12:19 PM

fail2ban cannot resolve it, so it cannot ban it.
In this case owns so "" =, but that doesn't say a thing. Maybe fail2ban can be altered to block if it can't reverse resolve the addy?

TBKDan 08-20-2007 12:20 PM

But how can it block it when it cannot resolve it? PAM is logging the reverse-lookup, which is invalid.

unSpawn 08-20-2007 06:42 PM

But how can it block it when it cannot resolve it?
The way TCP/IP works no client presents itself to your FTP host as "" but as IP address "". So the FTP daemon knows the IP address, but somewhere something is doing some resolving only to be able to log the resolved name instead of the IP address. However, I can't find any module switch to keep PAM from resolving this. Maybe add iptables rules with the "recent" module as backup.

TBKDan 08-24-2007 11:09 AM

Gah, didn't email me on this reply. Anyway, I know that the FTP server knows the IP address, but the log entries are coming from PAM failing authentication. I was looking around in PAM as well, couldn't find anything of much use. I'm not the only person with this problem, as shown in the fail2ban mailing list. I wonder why they have it log the reverse lookup instead of the IP...

TBKDan 08-31-2007 07:47 AM

So anybody have any ideas on a possible resolution for this issue?

All times are GMT -5. The time now is 08:08 AM.