Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

pppd: How to limit number of failed password attempts?

Status
Not open for further replies.
bgarlock

bgarlock

MIS
Jan 23, 2002
173
US
I would like to do two things, on a PPTP server that I run, which of course uses pppd. I use the server at to server VPN clients. Since the PPTP server has very bad password encryption, I would like to limit the number of failed login attempts to the server.

I was thinking that I could somehow, use the maxfail option to do this. In addition to limiting the number of failed logon attempts, I would like to blacklist the IP address of the client IP, since they are more than likely trying to brute force their way in to the server.

Can someone help me out with any scripts that can be used to do this? I am also wondering how I can figure out what variables are assigned during the logon process. For example, how do I get the client IP address, and pass that as a variable to another script?

Does /etc/ppp/ip-up execute before the client is authenticated, or after? If it is befoe, I could probably do most of my stuff in /etc/ppp/ip-up.local, but I am not sure exactly when they get executed during the ppp negotiation.

Thanks for any help!

- Bruce Garlock

Bruce Garlock
bruce@bgarlock.com
 
Sort by date Sort by votes
Well, I guess I could try to use PAM for this. I have not used PAM for ppp sessions in the past, but this may be worth a try. I will try to configure ppp for PAM, and see what happens.

I am also thinking of using swatch to monitor my log file for failed attempts, and then executing a script to blacklist the IP. I just need to figure out what variable the IP address is passed as, and how I can grab it before the user authenticates.

Thanks for the link. This may help me out.

I would love to hear any other ideas on how to accomplish what I am trying to do here.

- Bruce Garlock

Bruce Garlock
bruce@bgarlock.com
 
Upvote 0 Downvote
I just recompiled my heavily hacked up version of ppp with PAM support, and I have verified that it is linked to PAM:

[root@hendrix ppp]# ldd /usr/sbin/pppd
libpam.so.0 => /lib/libpam.so.0 (0x00fce000)
libdl.so.2 => /lib/libdl.so.2 (0x00abf000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x001a4000)
libc.so.6 => /lib/tls/libc.so.6 (0x0069a000)
liblaus.so.1 => /lib/liblaus.so.1 (0x00d44000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x002d2000)


But, I cannot seem to have any PAM support working properly. For example, I just wanted to disable my username, as a test to make sure that PAM support was working properly, so I put the following in /etc/security/access.conf:

-:bruceg:ALL

My /etc/pam.d/ppp file is as follows:

#%PAM-1.0
auth required pam_nologin.so
auth required pam_pwdb.so shadow nullok
account required pam_pwdb.so
account required pam_access.so
password required pam_cracklib.so retry=2
session required pam_pwdb.so


I am a little new to using PAM, so what is wrong with my config?

Thansk..


Bruce Garlock
bruce@bgarlock.com
 
Upvote 0 Downvote
Thanks for the link. I am familiar with CHAP vs. PAP. I think I may just figure a way to log all ppp and pptpd messages to a file, and then use 'swatch' to look for authentication failures, and then run a script that would blacklist the client IP. The trouble is figuring out two consecutive logon attempts. Maybe I will just allow only onne failure. That could be a bit tricky though, since if even I made a typo, I would be locked out, and have to modem in to take my IP off the blacklist.

Using a Raidus server may also give me some more possibilities, but from what I have seen so far, Radius seems to only support PAP.

I think the swatch method may be the best. Or, I may just bite the bullet and switch to a more secure VPN server. Anyone have any ideas of a good VPN server that runs on linux, and supports *all* the different Windows OS's, and MAC OSX? PPTP is by far the easiest, and client setup is a cinch, but it is just so riddled with security holes.

- Bruce


Bruce Garlock
bruce@bgarlock.com
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

SamBones
  • Locked
  • Question
How Do I Start/Stop Systemd Services as a non-root User?
Replies
2
Views
632
gbaughma
gbaughma
donald lepariku
  • Locked
  • Question
Error: 694, Severity: 24, State: 10 An attempt was made to read logical page '153', virtpage '616' f 1
Replies
3
Views
293
spamjim
spamjim
jimktrains
  • Locked
  • Question
RHEL 7 limit user logins
Replies
0
Views
117
jimktrains
jimktrains
kasperelectronics
  • Locked
  • Question
Desktop streaming from a server to low power front end device e.g. RasPi
Replies
0
Views
128
kasperelectronics
kasperelectronics
Edwin Reyes
  • Locked
  • Question
High CPU utilization Linux Server due to mysql
Replies
1
Views
186
spamjim
spamjim

Part and Inventory Search

Sponsor

Back
Top