Disable PAM reverse lookups?
First off, I'm using CentOS 5. I've got a vsftpd server running and I'm trying to get fail2ban to ban anybody who failed 5 times. This works, except for people who have incorrect pointer records for their IP address. PAM looks it up, places it in the /var/log/secure, and fail2ban cannot resolve it, so it cannot ban it. An example log output is:
vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=147.60-199-244.yam.com
I want to have the output of just the IP address so that these friggin morons can get banned properly. This is a Linux box, not Windows... 5000+ failed logins for Administrator is just sad. If anybody has any ideas, please let me know :) Thanks! Here's some more info:
# cat /etc/pam.d/vsftpd
session optional pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth required pam_shells.so
auth include system-auth
account include system-auth
session include system-auth
session required pam_loginuid.so
# cat /etc/pam.d/system-auth
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
fail2ban cannot resolve it, so it cannot ban it.
In this case yam.com owns 18.104.22.168/something so "147.60-199-244.yam.com" = 22.214.171.124, but that doesn't say a thing. Maybe fail2ban can be altered to block if it can't reverse resolve the addy?
But how can it block it when it cannot resolve it? PAM is logging the reverse-lookup, which is invalid.
But how can it block it when it cannot resolve it?
The way TCP/IP works no client presents itself to your FTP host as "147.60-199-244.yam.com" but as IP address "126.96.36.199". So the FTP daemon knows the IP address, but somewhere something is doing some resolving only to be able to log the resolved name instead of the IP address. However, I can't find any module switch to keep PAM from resolving this. Maybe add iptables rules with the "recent" module as backup.
Gah, didn't email me on this reply. Anyway, I know that the FTP server knows the IP address, but the log entries are coming from PAM failing authentication. I was looking around in PAM as well, couldn't find anything of much use. I'm not the only person with this problem, as shown in the fail2ban mailing list. I wonder why they have it log the reverse lookup instead of the IP...
So anybody have any ideas on a possible resolution for this issue?
|All times are GMT -5. The time now is 04:39 PM.|