LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-17-2007, 08:22 AM   #1
TBKDan
Member
 
Registered: Dec 2005
Location: NY, USA
Distribution: Ubuntu
Posts: 44

Rep: Reputation: 16
Disable PAM reverse lookups?


First off, I'm using CentOS 5. I've got a vsftpd server running and I'm trying to get fail2ban to ban anybody who failed 5 times. This works, except for people who have incorrect pointer records for their IP address. PAM looks it up, places it in the /var/log/secure, and fail2ban cannot resolve it, so it cannot ban it. An example log output is:

vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=147.60-199-244.yam.com

I want to have the output of just the IP address so that these friggin morons can get banned properly. This is a Linux box, not Windows... 5000+ failed logins for Administrator is just sad. If anybody has any ideas, please let me know Thanks! Here's some more info:

# cat /etc/pam.d/vsftpd
#%PAM-1.0
session optional pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth required pam_shells.so
auth include system-auth
account include system-auth
session include system-auth
session required pam_loginuid.so

# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
 
Old 08-20-2007, 12:19 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,987
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
fail2ban cannot resolve it, so it cannot ban it.
In this case yam.com owns 60.199.244.0/something so "147.60-199-244.yam.com" = 60.199.244.147, but that doesn't say a thing. Maybe fail2ban can be altered to block if it can't reverse resolve the addy?
 
Old 08-20-2007, 12:20 PM   #3
TBKDan
Member
 
Registered: Dec 2005
Location: NY, USA
Distribution: Ubuntu
Posts: 44

Original Poster
Rep: Reputation: 16
But how can it block it when it cannot resolve it? PAM is logging the reverse-lookup, which is invalid.
 
Old 08-20-2007, 06:42 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,987
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
But how can it block it when it cannot resolve it?
The way TCP/IP works no client presents itself to your FTP host as "147.60-199-244.yam.com" but as IP address "60.199.244.147". So the FTP daemon knows the IP address, but somewhere something is doing some resolving only to be able to log the resolved name instead of the IP address. However, I can't find any module switch to keep PAM from resolving this. Maybe add iptables rules with the "recent" module as backup.
 
Old 08-24-2007, 11:09 AM   #5
TBKDan
Member
 
Registered: Dec 2005
Location: NY, USA
Distribution: Ubuntu
Posts: 44

Original Poster
Rep: Reputation: 16
Gah, didn't email me on this reply. Anyway, I know that the FTP server knows the IP address, but the log entries are coming from PAM failing authentication. I was looking around in PAM as well, couldn't find anything of much use. I'm not the only person with this problem, as shown in the fail2ban mailing list. I wonder why they have it log the reverse lookup instead of the IP...
 
Old 08-31-2007, 07:47 AM   #6
TBKDan
Member
 
Registered: Dec 2005
Location: NY, USA
Distribution: Ubuntu
Posts: 44

Original Poster
Rep: Reputation: 16
So anybody have any ideas on a possible resolution for this issue?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
has anyone tried this??? Reverse dns lookups with Class A addresses.. khattaking Linux - Networking 2 12-15-2005 07:54 AM
Reverse Lookups abhijeetudas Linux - Networking 1 10-18-2005 01:20 PM
Why do forward AND reverse lookups? veeruk101 Linux - Newbie 3 03-31-2005 10:22 AM
iptables DNS reverse lookups soren625 Linux - Networking 6 03-10-2005 10:06 AM
Reverse DNS Lookups ascii2k Linux - Networking 2 08-08-2001 09:01 AM


All times are GMT -5. The time now is 11:06 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration