The following text is the file README
from the package.
Eble vi volas legi la Esperantan version.
This is a pam module that helps to defend your castle, by closing the gate for visitors that repeatedly unsuccesfully try to come in.
This program is licensed GNU GPL (see COPYING
).
The language is Esperanto. To start using it, delete the line #define
UTF8 1
in pam_siegho.c
(i suppose you want the non UTF-8 version,
without the strange letters ĉ, ĝ, ĥ, ĵ, ŝ and ŭ), and write:
$make
$su -c 'cp pam_siegho.so /lib/security' # location of the pam libraries
Then add a line for the services for which you want to use
attack-protection to the pam comfiguration file (/etc/pam.d/service
or
/etc/pam.conf
) auth require pam_siegho.so
or auth requisite
pam_siegho.so
. If you use require
, pam will always ask for a
password (or another way of authentication), whether or not the
visitor already tried too many times; with requisite
, the visitor
will immediately be barred out (en the latter case, be sure to place
the line before the other authentication methods, like a password).
An example:
auth requisite pam_siegho.so
auth required pam_unix.so
account required pam_unix.so
session required pam_unix.so
You should also make a ruleset for pam_siegho in /etc/siegho
(you can
change the default location in pam_siegho.c
or by adding an argument
regularo=path
to the module line in the pam configuration). The
regularo can be a normal file or a folder. If it is a folder, the
file with the name of the pam service in the folder will be used, or
aliaj
(others) if it doesn't exist. The settings you can make are
the following (if you don't specify a setting, the values given here
will be used; lines starting with #
are comments):
notlibro=/var/log/sieĝo
# Where to remember the timo (fear)
rekonajho=armeo
# How to recognise the visitor (not all services define everything;
# you cannot use undefined rekonajhoj). This is a list of
# recognisation things, separated by comma's (,). The possible
# rekonajhoj are:
# * anonco (USER: who the visitor pretends to be
# * militisto (RUSER: name of the visitor on the remote computer)
# * armeo (RHOST: DNS name of the coputer of the visitor)
# You should be aware that a visitor can pretend whatever he wants for
# anonco, en maybe also for militisto. The armeo (DNS name) can change
# from time to time with dynamic IP addresses.
# So, if you want to count the tries of one man from one coputer, to
# come in as one user, write:
#rekonajho=anonco,militisto,armeo
timemo=1m
# How long to remember tries (s=seconds, m=minutes, h=hours, t=days).
limo=10
# Number of tries.
dauro=1t
# Time to ban out a visitor if the timo exceeds the limo.
ago=
# Action when the visitor is barred out.
# To send an e-mail, use:
#ago=echo "$MILITISTO@$ARMEO --> $ANONCO tried too many times to get in" | mail -s "barred out $ARMEO" root
For every visitor, the time of the last try and the timo (fear) is remembered (in the notlibro). Every time a visitor tries to get in (when pam is called), the timo increases by one unit , and decreases by one unit for each time timemo passed since the last try. If after that the timo exceeds the limo, the visitor will not be able to come in and the ago will be executed. If the visitor, while he is barred out, tries to come in before the dauro passed, the time of the last try is updated (so he will have to wait the whole dauro again), but the ago isn't done again. After a successful login, the guard becomes quiet about that visitor again (the timo becomes 0).
We'll look at an example: rekonajho is armeo ago is to send an email to root, timemo is one minute, limo is 10 en dauro is one day.
---after two minutes---
---after half a day---
---after half a day---
---after two days---
A way to use this is to protect you ssh (or another) server against attacks from people who try to guess a password. Set rekonajho to armeo (the remote host). With ipset (see http://ipset.netfilter.org/), you can then have an action to add the remote host to an ip set with timeout one day (or so), and in your iptable rules, add a rule which blocks packets from that addresses.
If you found a bug, have ideas for improvements, really want to tell
some story related to this little program, ... contact the author (por
program changes, patches are welcome, of course): Maarten Deprez
<maartendeprez at users dot sourceforge dot net
>.